[sudo-workers] Re: Sudo 1.6.8rc5 Ldap Group lookup

Aaron Spangler as at insight.rr.com
Tue Aug 10 23:15:28 EDT 2004 

Jacob,

I'm glad to see that the query is being built correctly.  Also its okay 
that the primary group is listed twice in the search.  It should match 
exactly against Solaris's "id -a" command.  On some OS's the secondary 
groups don't always contain the primary gid.  Even though the search 
query contains a duplicate group, the LDAP server still returns the same 
number of entries and works fine in both situations.  Some LDAP servers 
optimize away the duplicate boolean OR condition anyway.

As for caching, circa Solaris 2.4 & higher have 'nscd' which caches the 
getgrXX() calls [as well as others].  Also you must re-login to inherit 
new groups that have been recently added.  Also if you are using NIS or 
NIS+ or LDAP then replications may have not made it fully around until 
after you logged in.  Also some NIS slaves may not have a properly 
updated 'netid' map which contain shorthand lookups so that the entire 
group map does not need to be scanned.  Any number of things could have 
caused the anomaly you saw earlier.

I hope things work better for you now.  Don't forget to turn of sudo 
debugging or everyone using sudo will get debugging messages.

- Aaron


Jacob Pszonowsky wrote:

> Solaris 9 on Sparc with the native ldap libraries.
>
> The ldap query is being built ok - except that one group is being  
> duplicated in the search - so it queries for 3 groups - only 2 actual  
> group names. The third group that I belong to isn't included.
>
> Here are my group outputs:
> Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
> [cds12118:~] jacobp% groups
> cadence1 cvsaccess itadmins
> [cds12118:~] jacobp% id
> uid=32413(jacobp) gid=1001(cadence1)
> [cds12118:~] jacobp% id -a
> uid=32413(jacobp) gid=1001(cadence1)  
> groups=1001(cadence1),1244(cvsaccess),1333(itadmins)
> [cds12118:~] jacobp%
>
> And the results of sudo -l with debugging enabled:
> [cds12118:~] jacobp% sudo -l
> LDAP Config Summary
> ===================
> host         158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73  
> 158.140.143.59
> port         389
> ldap_version 3
> uri          (NONE)
> sudoers_base ou=Pittsburgh,ou=Sudoers,ou=services,o=cadence.com
> binddn       cn=proxyagent,ou=profile,o=cadence.com
> bindpw       proxy
> ===================
> ldap_init(158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73  
> 158.140.143.59,389)
> ldap_bind() ok
> found:cn=defaults, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
> ldap sudoOption: 'ignore_local_sudoers'
> ldap search  
> '(|(sudoUser=jacobp)(sudoUser=%cadence1)(sudoUser=%cadence1)(sudoUser=%c 
> vsaccess)(sudoUser=%itadmins)(sudoUser=ALL))'
> found:cn=Admins, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
> ldap sudoHost 'ALL' ... MATCH!
> ldap search 'sudoUser=+*'
> user_matches=-1
> host_matches=-1
> sudo_ldap_check(50)=0x02
> User jacobp may run the following commands on this host:
>
> LDAP Role: Admins
>   Commands:
>     !/usr/bin/vi /etc/passwd
>     !/usr/bin/vi /etc/shadow
>     !/usr/bin/vi /etc/ldap.conf
>     !sudoedit /etc/passwd
>     !sudoedit /etc/shadow
>     !sudoedit /etc/ldap.conf
>     !sudoedit /etc/nsswitch.conf
>     !/usr/sbin/ldapclient
>     !/bin/sh
>     !/bin/bash
>     !/bin/ksh
>     !/bin/tcsh
>     !/bin/csh
>     !/bin/su
>     !/grid/common/bin/tcsh
>     !/grid/common/bin/bash
>     !/usr/ngnu/bin/tcsh
>     !/usr/ngnu/bin/bash
>     !xterm
>     ALL
> [cds12118:~] jacobp%
>
> Of course now it is working. I wonder if somewhere the group call got  
> cached?
>
> I'll test some different systems tomorrow and let you know if I see 
> any  inconsistancies.
>
> Thanks,
> Jake
>
> Jacob Pszonowsky
>
> jdp16 at mac.com
> (c) 415.225.2647
> (f) 415.358.5918
>
> On Aug 10, 2004, at 6:07 PM, Aaron Spangler wrote:
>
>> Hi Jacob,
>>
>> Please let us know what OS & OS Version you are using.  Also, if it 
>> is  original SysV  or HP-UX then is there anything in /etc/initgroups?
>>
>> Sudo does three calls to try to determine your groups.  The first is  
>> getgrgid(getgid()) which returns your primary group.  The second is  
>> that it calls getgroups(0,NULL) with a to ask how many groups you  
>> belong to. (For memory allocation purposes).  Finaly it calls  
>> getgroups() with a structure to receive the array of groups you 
>> belong  to.
>>
>> The collection of your username + primary group + all the secondary  
>> groups are used to construct an query to send to LDAP.
>>
>> Try turning on ldap debugging (add "sudoers_debug 2" to  
>> /etc/ldap.conf) to see that the query is being built correctly.
>>
>> Hope this all helps, let us know the results of the debugging and 
>> the  results of the "groups" and "id" and "id -a" commands.  We'll 
>> help  debug it and make sudo better.
>>
>> -Aaron
>>
>>
>> Jacob Pszonowsky wrote:
>>
>>> Hey guys -
>>>
>>> I'm having an interesting time trying to figure out how the LDAP  
>>> support does the group lookup for a user. Sudo seems to be only  
>>> finding 2 of my groups, not my third - even though "groups" reports  
>>> all three for me.
>>>
>>> I'm going to go dig around in the code, but I thought I'd post a  
>>> question as to how it's supposed to be working.
>>>
>>> Thanks,
>>> Jake
>>>
>>> Jacob Pszonowsky
>>>
>>> jdp16 at mac.com
>>> (c) 415.225.2647
>>> (f) 415.358.5918
>>
>>
>>
>
>
>
> Jacob Pszonowsky
>
> jdp16 at mac.com
> (c) 415.225.2647
> (f) 415.358.5918
>

More information about the sudo-workers mailing list