1 |
Hi all, |
2 |
I configured sudo in order to use LDAP and set the corrisponding defaults on |
3 |
the DIT set to ignore_local_sudoers. |
4 |
After populating the DIT with the rules, sudo works perfectly but I have a |
5 |
problem with the list options of sudo (-l). |
6 |
|
7 |
It seems like sudo -l for NORMAL users (i.e. not root) doesn't print the |
8 |
corresponding matched rule when this comes from LDAP. More exactly it matches |
9 |
the rule (and actually the user can perform the commands he is enabled to do) |
10 |
BUT they are not shown with the list option. |
11 |
|
12 |
After setting the sudoers_debug to 2 in /etc/ldap.sonf.sudo I obtain the |
13 |
following: |
14 |
|
15 |
giampa@athena ~ $ sudo -l |
16 |
LDAP Config Summary |
17 |
=================== |
18 |
host vesta.homenet.telecomitalia.it |
19 |
port -1 |
20 |
ldap_version 3 |
21 |
sudoers_base ou=sudoers,dc=gabbiani,dc=org |
22 |
binddn (anonymous) |
23 |
bindpw (anonymous) |
24 |
ssl (no) |
25 |
=================== |
26 |
sudo: ldap_create() |
27 |
sudo: ldap_set_option(LDAP_OPT_HOST_NAME, vesta.homenet.telecomitalia.it) |
28 |
sudo: ldap_set_option: debug -> 0 |
29 |
sudo: ldap_set_option: ldap_version -> 3 |
30 |
sudo: ldap_sasl_bind_s() ok |
31 |
sudo: found:cn=defaults,ou=SUDOers,dc=gabbiani,dc=org |
32 |
sudo: ldap sudoOption: 'ignore_local_sudoers' |
33 |
sudo: ldap sudoHost 'ALL' ... MATCH! |
34 |
sudo: ldap sudoOption: '!authenticate' |
35 |
sudo: user_matches=1 |
36 |
sudo: host_matches=1 |
37 |
sudo: sudo_ldap_lookup(52)=0x02 |
38 |
Runas and Command-specific defaults for giampa: |
39 |
|
40 |
|
41 |
sudo: ldap search '(|(sudoUser=giampa)(sudoUser=%giampa)(sudoUser=%wheel) |
42 |
(sudoUser=%floppy)(sudoUser=%audio)(sudoUser=%cdrom)(sudoUser=%video) |
43 |
(sudoUser=%usb)(sudoUser=%portage)(sudoUser=%plugdev)(sudoUser=%netusers) |
44 |
(sudoUser=%cvsadmin)(sudoUser=ALL))' |
45 |
sudo: ldap sudoHost 'ALL' ... MATCH! |
46 |
sudo: ldap search 'sudoUser=+*' |
47 |
|
48 |
The root user instead correctly prints the list informations: |
49 |
|
50 |
athena ~ # sudo -l |
51 |
LDAP Config Summary |
52 |
=================== |
53 |
host vesta.homenet.telecomitalia.it |
54 |
port -1 |
55 |
ldap_version 3 |
56 |
sudoers_base ou=sudoers,dc=gabbiani,dc=org |
57 |
binddn (anonymous) |
58 |
bindpw (anonymous) |
59 |
ssl (no) |
60 |
=================== |
61 |
sudo: ldap_create() |
62 |
sudo: ldap_set_option(LDAP_OPT_HOST_NAME, vesta.homenet.telecomitalia.it) |
63 |
sudo: ldap_set_option: debug -> 0 |
64 |
sudo: ldap_set_option: ldap_version -> 3 |
65 |
sudo: ldap_sasl_bind_s() ok |
66 |
sudo: found:cn=defaults,ou=SUDOers,dc=gabbiani,dc=org |
67 |
sudo: ldap sudoOption: 'ignore_local_sudoers' |
68 |
sudo: ldap sudoHost 'ALL' ... MATCH! |
69 |
sudo: user_matches=1 |
70 |
sudo: host_matches=1 |
71 |
sudo: sudo_ldap_lookup(52)=0x02 |
72 |
Runas and Command-specific defaults for root: |
73 |
|
74 |
|
75 |
sudo: ldap search '(|(sudoUser=root)(sudoUser=%root)(sudoUser=%bin) |
76 |
(sudoUser=%daemon)(sudoUser=%sys)(sudoUser=%adm)(sudoUser=%disk) |
77 |
(sudoUser=%wheel)(sudoUser=%floppy)(sudoUser=%dialout)(sudoUser=%tape) |
78 |
(sudoUser=%video)(sudoUser=ALL))' |
79 |
sudo: ldap sudoHost 'ALL' ... MATCH! |
80 |
sudo: ldap sudoHost 'ALL' ... MATCH! |
81 |
sudo: ldap search 'sudoUser=+*' |
82 |
User root may run the following commands on this host: |
83 |
(ALL) ALL |
84 |
(ALL) NOPASSWD: ALL |
85 |
|
86 |
The expected behavour for NORMAL user is instead (this comes from another |
87 |
machines running mandriva 2010.1): |
88 |
|
89 |
giampa@vesta ~ $ sudo -l |
90 |
Runas and Command-specific defaults for giampa: |
91 |
ignore_local_sudoers |
92 |
|
93 |
User giampa may run the following commands on this host: |
94 |
(ALL) NOPASSWD: ALL |
95 |
|
96 |
Is it a bug ? Is there anyone that experimented the same? Is there anything |
97 |
that I to set in gentoo in order to let a normal user to display correctly the |
98 |
sudoers commands when coming from ldap? |
99 |
|
100 |
Many thanks in advance |
101 |
Giampiero |