[sudo-workers] Re: Sudo 1.6.8rc5 Ldap Group lookup
Aaron Spangler
as at insight.rr.com
Tue Aug 10 23:15:28 EDT 2004
Jacob,
I'm glad to see that the query is being built correctly. Also its okay
that the primary group is listed twice in the search. It should match
exactly against Solaris's "id -a" command. On some OS's the secondary
groups don't always contain the primary gid. Even though the search
query contains a duplicate group, the LDAP server still returns the same
number of entries and works fine in both situations. Some LDAP servers
optimize away the duplicate boolean OR condition anyway.
As for caching, circa Solaris 2.4 & higher have 'nscd' which caches the
getgrXX() calls [as well as others]. Also you must re-login to inherit
new groups that have been recently added. Also if you are using NIS or
NIS+ or LDAP then replications may have not made it fully around until
after you logged in. Also some NIS slaves may not have a properly
updated 'netid' map which contain shorthand lookups so that the entire
group map does not need to be scanned. Any number of things could have
caused the anomaly you saw earlier.
I hope things work better for you now. Don't forget to turn of sudo
debugging or everyone using sudo will get debugging messages.
- Aaron
Jacob Pszonowsky wrote:
> Solaris 9 on Sparc with the native ldap libraries.
>
> The ldap query is being built ok - except that one group is being
> duplicated in the search - so it queries for 3 groups - only 2 actual
> group names. The third group that I belong to isn't included.
>
> Here are my group outputs:
> Sun Microsystems Inc. SunOS 5.9 Generic May 2002
> [cds12118:~] jacobp% groups
> cadence1 cvsaccess itadmins
> [cds12118:~] jacobp% id
> uid=32413(jacobp) gid=1001(cadence1)
> [cds12118:~] jacobp% id -a
> uid=32413(jacobp) gid=1001(cadence1)
> groups=1001(cadence1),1244(cvsaccess),1333(itadmins)
> [cds12118:~] jacobp%
>
> And the results of sudo -l with debugging enabled:
> [cds12118:~] jacobp% sudo -l
> LDAP Config Summary
> ===================
> host 158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
> 158.140.143.59
> port 389
> ldap_version 3
> uri (NONE)
> sudoers_base ou=Pittsburgh,ou=Sudoers,ou=services,o=cadence.com
> binddn cn=proxyagent,ou=profile,o=cadence.com
> bindpw proxy
> ===================
> ldap_init(158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
> 158.140.143.59,389)
> ldap_bind() ok
> found:cn=defaults, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
> ldap sudoOption: 'ignore_local_sudoers'
> ldap search
> '(|(sudoUser=jacobp)(sudoUser=%cadence1)(sudoUser=%cadence1)(sudoUser=%c
> vsaccess)(sudoUser=%itadmins)(sudoUser=ALL))'
> found:cn=Admins, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
> ldap sudoHost 'ALL' ... MATCH!
> ldap search 'sudoUser=+*'
> user_matches=-1
> host_matches=-1
> sudo_ldap_check(50)=0x02
> User jacobp may run the following commands on this host:
>
> LDAP Role: Admins
> Commands:
> !/usr/bin/vi /etc/passwd
> !/usr/bin/vi /etc/shadow
> !/usr/bin/vi /etc/ldap.conf
> !sudoedit /etc/passwd
> !sudoedit /etc/shadow
> !sudoedit /etc/ldap.conf
> !sudoedit /etc/nsswitch.conf
> !/usr/sbin/ldapclient
> !/bin/sh
> !/bin/bash
> !/bin/ksh
> !/bin/tcsh
> !/bin/csh
> !/bin/su
> !/grid/common/bin/tcsh
> !/grid/common/bin/bash
> !/usr/ngnu/bin/tcsh
> !/usr/ngnu/bin/bash
> !xterm
> ALL
> [cds12118:~] jacobp%
>
> Of course now it is working. I wonder if somewhere the group call got
> cached?
>
> I'll test some different systems tomorrow and let you know if I see
> any inconsistancies.
>
> Thanks,
> Jake
>
> Jacob Pszonowsky
>
> jdp16 at mac.com
> (c) 415.225.2647
> (f) 415.358.5918
>
> On Aug 10, 2004, at 6:07 PM, Aaron Spangler wrote:
>
>> Hi Jacob,
>>
>> Please let us know what OS & OS Version you are using. Also, if it
>> is original SysV or HP-UX then is there anything in /etc/initgroups?
>>
>> Sudo does three calls to try to determine your groups. The first is
>> getgrgid(getgid()) which returns your primary group. The second is
>> that it calls getgroups(0,NULL) with a to ask how many groups you
>> belong to. (For memory allocation purposes). Finaly it calls
>> getgroups() with a structure to receive the array of groups you
>> belong to.
>>
>> The collection of your username + primary group + all the secondary
>> groups are used to construct an query to send to LDAP.
>>
>> Try turning on ldap debugging (add "sudoers_debug 2" to
>> /etc/ldap.conf) to see that the query is being built correctly.
>>
>> Hope this all helps, let us know the results of the debugging and
>> the results of the "groups" and "id" and "id -a" commands. We'll
>> help debug it and make sudo better.
>>
>> -Aaron
>>
>>
>> Jacob Pszonowsky wrote:
>>
>>> Hey guys -
>>>
>>> I'm having an interesting time trying to figure out how the LDAP
>>> support does the group lookup for a user. Sudo seems to be only
>>> finding 2 of my groups, not my third - even though "groups" reports
>>> all three for me.
>>>
>>> I'm going to go dig around in the code, but I thought I'd post a
>>> question as to how it's supposed to be working.
>>>
>>> Thanks,
>>> Jake
>>>
>>> Jacob Pszonowsky
>>>
>>> jdp16 at mac.com
>>> (c) 415.225.2647
>>> (f) 415.358.5918
>>
>>
>>
>
>
>
> Jacob Pszonowsky
>
> jdp16 at mac.com
> (c) 415.225.2647
> (f) 415.358.5918
>
More information about the sudo-workers
mailing list