Getting, for me, some strange LDAP errors/indicators. This is a OpenLDAP 2.4.40 on CentOS7. The sudoers rules are being “seen” but not implemented: # sudo -l -U jdoe Matching Defaults entries for jdoe on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User jdoe may run the following commands on this host: (root) /usr/sbin/tcpdump (root) ALL (ALL) ALL When user jdoe tries to run a sudo command: # sudo su - sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: tls_cacertfile -> /etc/openldap/CA/cacert.pem sudo: ldap_set_option: tls_cacert -> /etc/openldap/CA/cacert.pem sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: cn=defaults sudo: no default options found in ou=sudoers,dc=example,dc=com sudo: ldap search '(|(sudoUser=jdoe)(sudoUser=#12345)(sudoUser=%Example)(sudoUser=%#12345)(sudoUser=%Admin)(sudoUser=%Group1)(sudoUser=%GROUP2)(sudoUser=%GROUP3)(sudo User=%GROUP4(sudoUser=ALL))' sudo: searching from base 'ou=sudoers,dc=example,dc=com' sudo: adding search result sudo: result now has 1 entries sudo: ldap search '(sudoUser=+*)' sudo: searching from base 'ou=sudoers,dc=example,dc=com' sudo: adding search result sudo: result now has 1 entries sudo: sorting remaining 1 entries sudo: searching LDAP for sudoers entries sudo: Command allowed sudo: LDAP entry: 0x7fdfb8bc2260 sudo: done with LDAP searches sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 Sorry, try again. Sorry, try again. Sorry, try again. sudo: 3 incorrect password attempts Also seeing in the log files, that bdb_substring_candidates: (sudoHost) not indexed But, it is indexed: oldDbIndex sudoHost eq Thanks in advance for assistance. This is a new environment, that is mimicking another LDAP environment running 2.4.39 on CentOS 5.12 which is running flawlessly. John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Email: john.borresen@ll.mit.edu |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature