Getting, for me, some strange LDAP errors/indicators. This is a OpenLDAP 2.4.40 on CentOS7.
The sudoers rules are being "seen" but not implemented:
# sudo -l -U jdoe
Matching Defaults entries for jdoe on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User jdoe may run the following commands on this host:
(root) /usr/sbin/tcpdump
(root) ALL
(ALL) ALL
When user jdoe tries to run a sudo command:
# sudo su -
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/openldap/CA/cacert.pem
sudo: ldap_set_option: tls_cacert -> /etc/openldap/CA/cacert.pem
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: no default options found in ou=sudoers,dc=example,dc=com
sudo: ldap search '(|(sudoUser=jdoe)(sudoUser=#12345)(sudoUser=%Example)(sudoUser=%#12345)(sud oUser=%Admin)(sudoUser=%Group1)(sudoUser=%GROUP2)(sudoUser=%GROUP3)(sudo
User=%GROUP4(sudoUser=ALL))'
sudo: searching from base 'ou=sudoers,dc=example,dc=com'
sudo: adding search result
sudo: result now has 1 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=sudoers,dc=example,dc=com'
sudo: adding search result
sudo: result now has 1 entries
sudo: sorting remaining 1 entries
sudo: searching LDAP for sudoers entries
sudo: Command allowed
sudo: LDAP entry: 0x7fdfb8bc2260
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
Also seeing in the log files, that
bdb_substring_candidates: (sudoHost) not indexed
But, it is indexed:
oldDbIndex sudoHost eq
Thanks in advance for assistance. This is a new environment, that is mimicking another LDAP environment running 2.4.39 on CentOS 5.12 which is running flawlessly.
John D. Borresen (Dave)
Linux/Unix Systems Administrator
MIT Lincoln Laboratory
Email: mailto:john.borresen@ll.mit.edu john.borresen@ll.mit.edu