-
-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ldap netgroup issues #251
Comments
There are two ways sudo's LDAP code can support netgroups for users.
The matching of a host to a netgroup always uses the
would log debug info about user and host matches. The debug info you are looking for should be in the
or
However, it doesn't look to me like musl libc supports the |
In both cases I get the same debug output when it comes across +assist
I think as far as I'm following things (knowing very little about c) I can see why without netgroup_base I don't see the I should say, I do have a Buildroot system that I'm pretty sure uses musl libc and has sudo working with netgroups.
It's not using netgroup_base and I can see it running a slight variation of that query |
I just checked my alpine build log:
So I don't think you can use host netgroups on that system. |
Alright, thanks for the clarification. At least it's not a deal breaking issue. |
Wheh netgroup_base is set we now do out own netgroup lookups using LDAP. Previously, LDAP was queried directly to get a list of the netgroups the user belongs to but other netgroups queries went through innetgr(3). This makes it possible to use netgroups in LDAP sudoers on systems that don't have an innetgr() function. GitHub issue #251.
Just noticed you've been putting in some work on supporting this. Wasn't expecting that but it's very much appreciated! |
It should work if netgroup_base is set in sudo's ldap.conf file. If that doesn't work, you can enable debugging in either sudo.conf or ldap.conf to see the exact query sudo is using and try that with, e.g. the ldapsearch utility. For example, in my testing I get debug output like the following with sudoers_debug set to 2 in ldap.conf:
With sudo.conf debugging there are more details (date strings removed for readability):
|
Got It's still looking for a triple containing my username.
And I don't see any of the |
Your LDAP server may not support querying nisNetgroupTriple. OpenLDAP's slapd, for example, does not support that in their nis schema. The sudoers.ldap man page talk about this in the section on NETGROUP_BASE. |
Oh, yes, that does appear to be the case... I'm using OpenLDAP
I'll look into changing that but does make me curious why it's never been a problem on Gentoo. |
If you are not using |
Sadly the schema change seems to have made no difference. Must be some other weirdness with my setup or I'm just missing something. Not sure if this is useful but out of curiosity I tried setting my username in the triple |
FYI, I think I found the issue with this on Alpine. The problem is that sudo checks for the innetgr() function and, if it doesn't exist, avoids compiling some of sudo's netgroup support. I changed that in 6fddb28 and have been able to do netgroup queries on Alpine using sudo's own LDAP netgroup code. |
I've been trying to get sudo setup on Alpine Linux with ldap auth.
I got it working for the most part but I'm having issues getting it to use netgroups.
Netgroups & sudoers are setup like this in ldap, which works with my Gentoo systems.
I've been compiling with these args
--with-pam --with-ldap --with-ldap-conf-file=/etc/ldap.conf.sudo
And I've tried both with and without nsswitch
--with-nsswitch=no
--with-nsswitch=/etc/nsswitch.conf.sudo
(I didn't use the standardnsswitch.conf
becausemusl-nscd
gets a syntax error withsudoers: ldap
)ldap.conf.sudo
nsswitch.conf.sudo
The filter in the "ldap search" debug output
'(&(objectClass=sudoRole)(|(sudoUser=matta)...
does getcn=assist,ou=sudoers,dc=example,dc=com
in it's results, if that's helpful at all.I do see this one debug difference on Gentoo
Compared to Alpine
Then this may be sending me in the wrong direction since I've never set it on Gentoo but I've noticed that when I set
netgroup_base
in ldap.conf.sudo I get some additional debug output that I don't see w/o it. It appears to append a filter that would only match if I set a username in the nisNetgroupTriple. I actually tried that to no avail as well.The text was updated successfully, but these errors were encountered: