[sudo-workers] Empty SUDOERS_SEARCH_FILTER bug

Daniel Kopeček dkopecek at redhat.com
Thu Aug 31 02:08:28 MDT 2017


Hello,

  the sudoers.ldap(5) manual page states that you can use the 
`SUDOERS_SEARCH_FILTER ldap_filter` option

and omit the ldap_filter value so that no filter will be used. However, 
when you try to do that, it seems that

sudo then passes an invalid filter expression to the LDAP API:


---snip---

sudo: ldap search '(sudoUser=*)(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=localhost,dc=localdomain'
sudo: ldap search pass 2 failed: Bad search filter

---snip---


One can use `SUDOERS_SEARCH_FILTER (objectClass=*)` to workaround this.


Regards,

Daniel



More information about the sudo-workers mailing list