Bug 346

Summary: Sudo with Tivoli Directory Client and openldap server
Product: Sudo Reporter: Vadym <vadim_in_god>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED DUPLICATE    
Severity: low    
Priority: low    
Version: 1.7.0   
Hardware: Sun   
OS: Other   

Description Vadym 2009-04-16 15:01:11 MDT 
Hi, I have found a little issue with sudo compiled with ibm ldap or Tivoli Directory Server. I don't know if it is a bug, but after installing openLdap Server on an machine, I tried to run sudo from my machine and I got the message that such user was not found on the ldap server. Which was weird. Because if make my own consult by running ldapsearch I can see all users I have added on the server.
To be sure if I have any problem with openLdap Server, I compiled sudo with openldap libs and after running the command, the request was successfully processed and the user was found. So I don't if this a bug or perhaps some config problems, but I would like to share. My regards.


My configuration for compilation is:
SUDO_LIBS=libmldap
	./configure --with-tty-tickets --disable-root-sudo --with-umask=0077  --with-ignore-dot --with-logging=both --with-noexec --with-ldap="/opt/IBM/ldap/V6.2"

and ldap.conf

  uri           ldap://esdsun22.charlotte.ibm.com 
  port          389
  bind_timelimit 30
  timelimit 30
  #
  sudoers_base   ou=SUDOers,dc=example,dc=com
  BASE dc=example,dc=com
  sudoers_debug 2
  ldap_version 3
Comment 1 Todd C. Miller 2009-04-16 17:06:58 MDT 
Can you include the debugging output from sudo that you get with sudoers_debug set to 2?
Comment 2 Vadym 2009-04-17 10:54:46 MDT 
Hi Todd, I think it is a bug. Because I ran sudo 1.6.9 with the same configuration and it worked well.
Here some info perhaps will be useful for you:

ldd /usr/local/bin/sudo
        libibmldap.so =>         /opt/IBM/ldap/V6.2/lib/libibmldap.so
        libpam.so.1 =>   /usr/lib/libpam.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libidsldapiconv.so =>    /opt/IBM/ldap/V6.2/lib/libidsldapiconv.so
        libibmldapdbg.so =>      /opt/IBM/ldap/V6.2/lib/libibmldapdbg.so
        libidsstr.so =>  /opt/IBM/ldap/V6.2/lib/libidsstr.so
        libpthread.so.1 =>       /usr/lib/libpthread.so.1
        libcmd.so.1 =>   /usr/lib/libcmd.so.1
        libmp.so.2 =>    /usr/lib/libmp.so.2
        libgen.so.1 =>   /usr/lib/libgen.so.1
        libthread.so.1 =>        /usr/lib/libthread.so.1
        libCstd.so.1 =>  /usr/lib/libCstd.so.1
        libCrun.so.1 =>  /usr/lib/libCrun.so.1
        librt.so.1 =>    /usr/lib/librt.so.1
        libw.so.1 =>     /usr/lib/libw.so.1
        libaio.so.1 =>   /usr/lib/libaio.so.1
        libmd5.so.1 =>   /usr/lib/libmd5.so.1
        /usr/platform/SUNW,Ultra-250/lib/libc_psr.so.1
        /usr/lib/cpu/sparcv8plus/libCstd_isa.so.1
        /usr/platform/SUNW,Ultra-250/lib/libmd5_psr.so.1

esdsun24# su esdadmin
esdsun24# sudo ls
LDAP Config Summary
===================
host             esdsun22.charlotte.ibm.com
port             389
ldap_version     3
sudoers_base     ou=SUDOers,dc=example,dc=com
binddn           (anonymous)
bindpw           (anonymous)
timelimit        30
ssl              (no)
===================
sudo: ldap_init(esdsun22.charlotte.ibm.com, 389)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=esdadmin)(sudoUser=%other)(sudoUser=%sys)(sudoUser=ALL))'
sudo: nothing found for '(|(sudoUser=esdadmin)(sudoUser=%other)(sudoUser=%sys)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: nothing found for 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x60
Password: 
esdadmin is not in the sudoers file.  This incident will be reported.
Apr 17 10:18:54 esdsun24 sudo: [ID 702911 local2.alert] esdadmin : user NOT in sudoers ; TTY=pts/1 ; PWD=/esd/kul/sudo-1.7.0 ; USER=root ; COMMAND=/bin/ls

Ldap conf is:
host         esdsun22.charlotte.ibm.com
	port          389
	bind_timelimit 30
	timelimit 30
	sudoers_base   ou=SUDOers,dc=example,dc=com
BASE dc=example,dc=com
sudoers_debug 2

And by running sudo 1.6.9:
esdsun24# sudo ftp
LDAP Config Summary
===================
host         esdsun22.charlotte.ibm.com
port         389
ldap_version 3
sudoers_base ou=SUDOers,dc=example,dc=com
binddn       (anonymous)
bindpw       (anonymous)
timelimit    30
ssl          (no)
===================
sudo: ldap_init(esdsun22.charlotte.ibm.com, 389)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_simple_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=example,dc=com
sudo: ldap sudoOption: 'mailto="root", mail_no_user, mail_no_host, mail_no_perms'
sudo: ldap search '(|(sudoUser=esdadmin)(sudoUser=%other)(sudoUser=%sys)(sudoUser=ALL))'
sudo: found:cn=esdadmin,ou=SUDOers,dc=example,dc=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Perfect Matched!
sudo: ldap sudoOption: 'noexec'
sudo: user_matches=-1
sudo: host_matches=-1
sudo: sudo_ldap_check(0)=0x602
ftp> !ls
/bin/sh: Permission denied

As you can see the query was successfully.
Comment 3 Todd C. Miller 2009-04-17 11:21:47 MDT 
Would you mind trying sudo 1.7.0 too?  That would help me track down where the problem was introduced.
Comment 4 Vadym 2009-04-17 11:23:58 MDT 
Sorry I didn't tell you before, I was working with sudo 1.7.0 last stable version. if you want I can also test sudo 1.7.1rc1
Comment 5 Todd C. Miller 2009-04-17 11:24:46 MDT 
This may be related to bug #329
Comment 6 Todd C. Miller 2009-04-17 11:26:08 MDT 
Please try 1.7.1rc1.  This bug should be fixed already.
Comment 7 Vadym 2009-04-17 11:33:09 MDT 
Hi Todd, you are right this bug was resolved in bug #329. Thanks for your help.
I have tested sudo 1.7.1rc1 and it works well. My regards.
Comment 8 Todd C. Miller 2009-04-17 11:36:04 MDT 
Great.  I intend to release 1.7.1 on Monday.

*** This bug has been marked as a duplicate of bug 329 ***