Bug 196

Summary: LDAP nisNetgroupTripple Syntax too strict?
Product: Sudo Reporter: asher feldman <asher>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: normal    
Version: 1.6.8   
Hardware: PC   
OS: Linux   

Description asher feldman 2005-10-27 14:30:07 MDT 
Sudo would not accept netgroups in ldap when a dash was present for the
domainname attribute.  

nisNetgroupTripple: (-,user,-)

We had to change this to:

nisNetgroupTripple: (-,user,)

For all entries.  I'd like to think this shouldn't matter :)
Comment 1 Todd C. Miller 2007-07-05 15:42:04 MDT 
Unless netgroups in LDAP are different from NIS I don't think this is a bug in sudo per se.  A '-' in the domain portion of the netgroup will preclude sudo from matching that entry as sudo uses the machine's NIS domain, if set, when matching.  I'm surprised that a '-' for the host portion of the tuple works though since I would expect that to prevent a match as well.
Comment 2 Todd C. Miller 2008-06-11 09:40:09 MDT 
Not a sudo bug.