[sudo-workers] Re: Sudo 1.6.8rc5 Ldap Group lookup
Jacob Pszonowsky
jdp16 at mac.com
Wed Aug 11 16:19:55 EDT 2004
Thanks Aaron. It looks like it was an issue of a new group being
created and I wasn't logging back in.
Everything else looks good.
Thanks,
Jake
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
On Aug 10, 2004, at 8:15 PM, Aaron Spangler wrote:
> Jacob,
>
> I'm glad to see that the query is being built correctly. Also its
> okay that the primary group is listed twice in the search. It should
> match exactly against Solaris's "id -a" command. On some OS's the
> secondary groups don't always contain the primary gid. Even though
> the search query contains a duplicate group, the LDAP server still
> returns the same number of entries and works fine in both situations.
> Some LDAP servers optimize away the duplicate boolean OR condition
> anyway.
>
> As for caching, circa Solaris 2.4 & higher have 'nscd' which caches
> the getgrXX() calls [as well as others]. Also you must re-login to
> inherit new groups that have been recently added. Also if you are
> using NIS or NIS+ or LDAP then replications may have not made it fully
> around until after you logged in. Also some NIS slaves may not have a
> properly updated 'netid' map which contain shorthand lookups so that
> the entire group map does not need to be scanned. Any number of
> things could have caused the anomaly you saw earlier.
>
> I hope things work better for you now. Don't forget to turn of sudo
> debugging or everyone using sudo will get debugging messages.
>
> - Aaron
>
>
> Jacob Pszonowsky wrote:
>
>> Solaris 9 on Sparc with the native ldap libraries.
>>
>> The ldap query is being built ok - except that one group is being
>> duplicated in the search - so it queries for 3 groups - only 2 actual
>> group names. The third group that I belong to isn't included.
>>
>> Here are my group outputs:
>> Sun Microsystems Inc. SunOS 5.9 Generic May 2002
>> [cds12118:~] jacobp% groups
>> cadence1 cvsaccess itadmins
>> [cds12118:~] jacobp% id
>> uid=32413(jacobp) gid=1001(cadence1)
>> [cds12118:~] jacobp% id -a
>> uid=32413(jacobp) gid=1001(cadence1)
>> groups=1001(cadence1),1244(cvsaccess),1333(itadmins)
>> [cds12118:~] jacobp%
>>
>> And the results of sudo -l with debugging enabled:
>> [cds12118:~] jacobp% sudo -l
>> LDAP Config Summary
>> ===================
>> host 158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
>> 158.140.143.59
>> port 389
>> ldap_version 3
>> uri (NONE)
>> sudoers_base ou=Pittsburgh,ou=Sudoers,ou=services,o=cadence.com
>> binddn cn=proxyagent,ou=profile,o=cadence.com
>> bindpw proxy
>> ===================
>> ldap_init(158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
>> 158.140.143.59,389)
>> ldap_bind() ok
>> found:cn=defaults, ou=Pittsburgh, ou=Sudoers, ou=Services,
>> o=cadence.com
>> ldap sudoOption: 'ignore_local_sudoers'
>> ldap search
>> '(|(sudoUser=jacobp)(sudoUser=%cadence1)(sudoUser=%cadence1)(sudoUser=
>> %c vsaccess)(sudoUser=%itadmins)(sudoUser=ALL))'
>> found:cn=Admins, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
>> ldap sudoHost 'ALL' ... MATCH!
>> ldap search 'sudoUser=+*'
>> user_matches=-1
>> host_matches=-1
>> sudo_ldap_check(50)=0x02
>> User jacobp may run the following commands on this host:
>>
>> LDAP Role: Admins
>> Commands:
>> !/usr/bin/vi /etc/passwd
>> !/usr/bin/vi /etc/shadow
>> !/usr/bin/vi /etc/ldap.conf
>> !sudoedit /etc/passwd
>> !sudoedit /etc/shadow
>> !sudoedit /etc/ldap.conf
>> !sudoedit /etc/nsswitch.conf
>> !/usr/sbin/ldapclient
>> !/bin/sh
>> !/bin/bash
>> !/bin/ksh
>> !/bin/tcsh
>> !/bin/csh
>> !/bin/su
>> !/grid/common/bin/tcsh
>> !/grid/common/bin/bash
>> !/usr/ngnu/bin/tcsh
>> !/usr/ngnu/bin/bash
>> !xterm
>> ALL
>> [cds12118:~] jacobp%
>>
>> Of course now it is working. I wonder if somewhere the group call got
>> cached?
>>
>> I'll test some different systems tomorrow and let you know if I see
>> any inconsistancies.
>>
>> Thanks,
>> Jake
>>
>> Jacob Pszonowsky
>>
>> jdp16 at mac.com
>> (c) 415.225.2647
>> (f) 415.358.5918
>>
>> On Aug 10, 2004, at 6:07 PM, Aaron Spangler wrote:
>>
>>> Hi Jacob,
>>>
>>> Please let us know what OS & OS Version you are using. Also, if it
>>> is original SysV or HP-UX then is there anything in
>>> /etc/initgroups?
>>>
>>> Sudo does three calls to try to determine your groups. The first is
>>> getgrgid(getgid()) which returns your primary group. The second is
>>> that it calls getgroups(0,NULL) with a to ask how many groups you
>>> belong to. (For memory allocation purposes). Finaly it calls
>>> getgroups() with a structure to receive the array of groups you
>>> belong to.
>>>
>>> The collection of your username + primary group + all the secondary
>>> groups are used to construct an query to send to LDAP.
>>>
>>> Try turning on ldap debugging (add "sudoers_debug 2" to
>>> /etc/ldap.conf) to see that the query is being built correctly.
>>>
>>> Hope this all helps, let us know the results of the debugging and
>>> the results of the "groups" and "id" and "id -a" commands. We'll
>>> help debug it and make sudo better.
>>>
>>> -Aaron
>>>
>>>
>>> Jacob Pszonowsky wrote:
>>>
>>>> Hey guys -
>>>>
>>>> I'm having an interesting time trying to figure out how the LDAP
>>>> support does the group lookup for a user. Sudo seems to be only
>>>> finding 2 of my groups, not my third - even though "groups" reports
>>>> all three for me.
>>>>
>>>> I'm going to go dig around in the code, but I thought I'd post a
>>>> question as to how it's supposed to be working.
>>>>
>>>> Thanks,
>>>> Jake
>>>>
>>>> Jacob Pszonowsky
>>>>
>>>> jdp16 at mac.com
>>>> (c) 415.225.2647
>>>> (f) 415.358.5918
>>>
>>>
>>>
>>
>>
>>
>> Jacob Pszonowsky
>>
>> jdp16 at mac.com
>> (c) 415.225.2647
>> (f) 415.358.5918
>>
>
>
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
More information about the sudo-workers
mailing list