Bugzilla – Bug 346
Sudo with Tivoli Directory Client and openldap server
Last modified: 2009-04-17 11:36:04 MDT
Hi, I have found a little issue with sudo compiled with ibm ldap or Tivoli Directory Server. I don't know if it is a bug, but after installing openLdap Server on an machine, I tried to run sudo from my machine and I got the message that such user was not found on the ldap server. Which was weird. Because if make my own consult by running ldapsearch I can see all users I have added on the server. To be sure if I have any problem with openLdap Server, I compiled sudo with openldap libs and after running the command, the request was successfully processed and the user was found. So I don't if this a bug or perhaps some config problems, but I would like to share. My regards. My configuration for compilation is: SUDO_LIBS=libmldap ./configure --with-tty-tickets --disable-root-sudo --with-umask=0077 --with-ignore-dot --with-logging=both --with-noexec --with-ldap="/opt/IBM/ldap/V6.2" and ldap.conf uri ldap://esdsun22.charlotte.ibm.com port 389 bind_timelimit 30 timelimit 30 # sudoers_base ou=SUDOers,dc=example,dc=com BASE dc=example,dc=com sudoers_debug 2 ldap_version 3
Can you include the debugging output from sudo that you get with sudoers_debug set to 2?
Hi Todd, I think it is a bug. Because I ran sudo 1.6.9 with the same configuration and it worked well. Here some info perhaps will be useful for you: ldd /usr/local/bin/sudo libibmldap.so => /opt/IBM/ldap/V6.2/lib/libibmldap.so libpam.so.1 => /usr/lib/libpam.so.1 libdl.so.1 => /usr/lib/libdl.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libc.so.1 => /usr/lib/libc.so.1 libidsldapiconv.so => /opt/IBM/ldap/V6.2/lib/libidsldapiconv.so libibmldapdbg.so => /opt/IBM/ldap/V6.2/lib/libibmldapdbg.so libidsstr.so => /opt/IBM/ldap/V6.2/lib/libidsstr.so libpthread.so.1 => /usr/lib/libpthread.so.1 libcmd.so.1 => /usr/lib/libcmd.so.1 libmp.so.2 => /usr/lib/libmp.so.2 libgen.so.1 => /usr/lib/libgen.so.1 libthread.so.1 => /usr/lib/libthread.so.1 libCstd.so.1 => /usr/lib/libCstd.so.1 libCrun.so.1 => /usr/lib/libCrun.so.1 librt.so.1 => /usr/lib/librt.so.1 libw.so.1 => /usr/lib/libw.so.1 libaio.so.1 => /usr/lib/libaio.so.1 libmd5.so.1 => /usr/lib/libmd5.so.1 /usr/platform/SUNW,Ultra-250/lib/libc_psr.so.1 /usr/lib/cpu/sparcv8plus/libCstd_isa.so.1 /usr/platform/SUNW,Ultra-250/lib/libmd5_psr.so.1 esdsun24# su esdadmin esdsun24# sudo ls LDAP Config Summary =================== host esdsun22.charlotte.ibm.com port 389 ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=com binddn (anonymous) bindpw (anonymous) timelimit 30 ssl (no) =================== sudo: ldap_init(esdsun22.charlotte.ibm.com, 389) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 30 sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=esdadmin)(sudoUser=%other)(sudoUser=%sys)(sudoUser=ALL))' sudo: nothing found for '(|(sudoUser=esdadmin)(sudoUser=%other)(sudoUser=%sys)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: nothing found for 'sudoUser=+*' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x60 Password: esdadmin is not in the sudoers file. This incident will be reported. Apr 17 10:18:54 esdsun24 sudo: [ID 702911 local2.alert] esdadmin : user NOT in sudoers ; TTY=pts/1 ; PWD=/esd/kul/sudo-1.7.0 ; USER=root ; COMMAND=/bin/ls Ldap conf is: host esdsun22.charlotte.ibm.com port 389 bind_timelimit 30 timelimit 30 sudoers_base ou=SUDOers,dc=example,dc=com BASE dc=example,dc=com sudoers_debug 2 And by running sudo 1.6.9: esdsun24# sudo ftp LDAP Config Summary =================== host esdsun22.charlotte.ibm.com port 389 ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=com binddn (anonymous) bindpw (anonymous) timelimit 30 ssl (no) =================== sudo: ldap_init(esdsun22.charlotte.ibm.com, 389) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 30 sudo: ldap_simple_bind_s() ok sudo: found:cn=defaults,ou=SUDOers,dc=example,dc=com sudo: ldap sudoOption: 'mailto="root", mail_no_user, mail_no_host, mail_no_perms' sudo: ldap search '(|(sudoUser=esdadmin)(sudoUser=%other)(sudoUser=%sys)(sudoUser=ALL))' sudo: found:cn=esdadmin,ou=SUDOers,dc=example,dc=com sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Perfect Matched! sudo: ldap sudoOption: 'noexec' sudo: user_matches=-1 sudo: host_matches=-1 sudo: sudo_ldap_check(0)=0x602 ftp> !ls /bin/sh: Permission denied As you can see the query was successfully.
Would you mind trying sudo 1.7.0 too? That would help me track down where the problem was introduced.
Sorry I didn't tell you before, I was working with sudo 1.7.0 last stable version. if you want I can also test sudo 1.7.1rc1
This may be related to bug #329
Please try 1.7.1rc1. This bug should be fixed already.
Hi Todd, you are right this bug was resolved in bug #329. Thanks for your help. I have tested sudo 1.7.1rc1 and it works well. My regards.
Great. I intend to release 1.7.1 on Monday. *** This bug has been marked as a duplicate of bug 329 ***