Getting, for me, some strange LDAP errors/indicators.  This is a OpenLDAP 2.4.40 on CentOS7. 

 

The sudoers rules are being “seen” but not implemented:

 

# sudo -l -U jdoe

Matching Defaults entries for jdoe on this host:

    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG

    LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",

    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

 

User jdoe may run the following commands on this host:

    (root) /usr/sbin/tcpdump

    (root) ALL

    (ALL) ALL

 

When user jdoe tries to run a sudo command:

# sudo su -

sudo: ldap_set_option: debug -> 0

sudo: ldap_set_option: tls_checkpeer -> 0

sudo: ldap_set_option: tls_cacertfile -> /etc/openldap/CA/cacert.pem

sudo: ldap_set_option: tls_cacert -> /etc/openldap/CA/cacert.pem

sudo: ldap_set_option: ldap_version -> 3

sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)

sudo: ldap_start_tls_s() ok

sudo: ldap_sasl_bind_s() ok

sudo: Looking for cn=defaults: cn=defaults

sudo: no default options found in ou=sudoers,dc=example,dc=com

sudo: ldap search '(|(sudoUser=jdoe)(sudoUser=#12345)(sudoUser=%Example)(sudoUser=%#12345)(sudoUser=%Admin)(sudoUser=%Group1)(sudoUser=%GROUP2)(sudoUser=%GROUP3)(sudo

User=%GROUP4(sudoUser=ALL))'

sudo: searching from base 'ou=sudoers,dc=example,dc=com'

sudo: adding search result

sudo: result now has 1 entries

sudo: ldap search '(sudoUser=+*)'

sudo: searching from base 'ou=sudoers,dc=example,dc=com'

sudo: adding search result

sudo: result now has 1 entries

sudo: sorting remaining 1 entries

sudo: searching LDAP for sudoers entries

sudo: Command allowed

sudo: LDAP entry: 0x7fdfb8bc2260

sudo: done with LDAP searches

sudo: user_matches=1

sudo: host_matches=1

sudo: sudo_ldap_lookup(0)=0x02

Sorry, try again.

Sorry, try again.

Sorry, try again.

sudo: 3 incorrect password attempts

 

 

Also seeing in the log files, that

bdb_substring_candidates: (sudoHost) not indexed

 

But, it is indexed:

oldDbIndex        sudoHost             eq

 

 

Thanks in advance for assistance.  This is a new environment, that is mimicking another LDAP environment running 2.4.39 on CentOS 5.12 which is running flawlessly.

 

John D. Borresen (Dave)

Linux/Unix Systems Administrator

MIT  Lincoln Laboratory

Email: john.borresen@ll.mit.edu