* [gentoo-user] sudo -l strange behavour when used via LDAP
@ 2010-08-22 20:26 Giampiero Gabbiani
0 siblings, 0 replies; only message in thread
From: Giampiero Gabbiani @ 2010-08-22 20:26 UTC (permalink / raw
To: gentoo-user
Hi all,
I configured sudo in order to use LDAP and set the corrisponding defaults on
the DIT set to ignore_local_sudoers.
After populating the DIT with the rules, sudo works perfectly but I have a
problem with the list options of sudo (-l).
It seems like sudo -l for NORMAL users (i.e. not root) doesn't print the
corresponding matched rule when this comes from LDAP. More exactly it matches
the rule (and actually the user can perform the commands he is enabled to do)
BUT they are not shown with the list option.
After setting the sudoers_debug to 2 in /etc/ldap.sonf.sudo I obtain the
following:
giampa@athena ~ $ sudo -l
LDAP Config Summary
===================
host vesta.homenet.telecomitalia.it
port -1
ldap_version 3
sudoers_base ou=sudoers,dc=gabbiani,dc=org
binddn (anonymous)
bindpw (anonymous)
ssl (no)
===================
sudo: ldap_create()
sudo: ldap_set_option(LDAP_OPT_HOST_NAME, vesta.homenet.telecomitalia.it)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=gabbiani,dc=org
sudo: ldap sudoOption: 'ignore_local_sudoers'
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoOption: '!authenticate'
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(52)=0x02
Runas and Command-specific defaults for giampa:
sudo: ldap search '(|(sudoUser=giampa)(sudoUser=%giampa)(sudoUser=%wheel)
(sudoUser=%floppy)(sudoUser=%audio)(sudoUser=%cdrom)(sudoUser=%video)
(sudoUser=%usb)(sudoUser=%portage)(sudoUser=%plugdev)(sudoUser=%netusers)
(sudoUser=%cvsadmin)(sudoUser=ALL))'
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap search 'sudoUser=+*'
The root user instead correctly prints the list informations:
athena ~ # sudo -l
LDAP Config Summary
===================
host vesta.homenet.telecomitalia.it
port -1
ldap_version 3
sudoers_base ou=sudoers,dc=gabbiani,dc=org
binddn (anonymous)
bindpw (anonymous)
ssl (no)
===================
sudo: ldap_create()
sudo: ldap_set_option(LDAP_OPT_HOST_NAME, vesta.homenet.telecomitalia.it)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=gabbiani,dc=org
sudo: ldap sudoOption: 'ignore_local_sudoers'
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(52)=0x02
Runas and Command-specific defaults for root:
sudo: ldap search '(|(sudoUser=root)(sudoUser=%root)(sudoUser=%bin)
(sudoUser=%daemon)(sudoUser=%sys)(sudoUser=%adm)(sudoUser=%disk)
(sudoUser=%wheel)(sudoUser=%floppy)(sudoUser=%dialout)(sudoUser=%tape)
(sudoUser=%video)(sudoUser=ALL))'
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap search 'sudoUser=+*'
User root may run the following commands on this host:
(ALL) ALL
(ALL) NOPASSWD: ALL
The expected behavour for NORMAL user is instead (this comes from another
machines running mandriva 2010.1):
giampa@vesta ~ $ sudo -l
Runas and Command-specific defaults for giampa:
ignore_local_sudoers
User giampa may run the following commands on this host:
(ALL) NOPASSWD: ALL
Is it a bug ? Is there anyone that experimented the same? Is there anything
that I to set in gentoo in order to let a normal user to display correctly the
sudoers commands when coming from ldap?
Many thanks in advance
Giampiero
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2010-08-22 20:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-08-22 20:26 [gentoo-user] sudo -l strange behavour when used via LDAP Giampiero Gabbiani
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox