Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sudo LDAP stopped working in 1.9.15 #325

Closed
mmelvin0 opened this issue Nov 7, 2023 · 2 comments
Closed

Sudo LDAP stopped working in 1.9.15 #325

mmelvin0 opened this issue Nov 7, 2023 · 2 comments

Comments

@mmelvin0
Copy link

mmelvin0 commented Nov 7, 2023
edited

Sudo LDAP was working for me with 1.9.14.p3, but broke with 1.9.15 on my setup and I haven't been able to determine why.

When I do sudo -ll with SUDOERS_DEBUG 2 in 1.9.14.p3 I get LDAP debug output indicating the correct things are happening, but with 1.9.15 there's no LDAP debug output at all. I simply get a password prompt followed by "not in sudoers file" and no indication LDAP is being queried. Reverting to 1.9.14.p3 restores the expected behavior.

I'm not sure if this is an Arch packaging issue, sudo regression, or config issue on my end. Here's my relevant configs and LDAP objects. Please let me know if more info is needed to diagnose.

/etc/nsswitch.conf:

# ...
sudoers: files ldap
# ...

(I tried swapping ldap and files but same result, and I prefer it checks local first anyway.)

/etc/sudo.conf:

Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
Plugin sudoers_audit sudoers.so ldap_secret=/path/to/ldap-password

(That's the entirety of sudo.conf and I must admit I don't fully understand it but it worked for me in < 1.9.15.)

/etc/openldap/ldap.conf:

URI ldapi://%2frun%2fopenldap%2fslapd.sock
BASE o=home
ROOTBINDDN cn=sudo,ou=roles,o=home
SUDOERS_BASE o=home
SUDOERS_DEBUG 2

(Perhaps sudo is looking for ldap.conf in a different place now? I'm not sure how to figure out where it checks but if that's the case it could be a packaging issue...)

LDAP Group:

dn: cn=super-sudo,ou=groups,o=home
objectClass: groupOfMembers
objectClass: posixGroup
cn: super-sudo
gidNumber: 90000
member: uid=mike,ou=users,o=home

LDAP Sudo Role:

dn: cn=super-sudo,ou=sudoers,o=home
objectClass: sudoRole
cn: super-sudo
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoRunAsGroup: ALL
sudoRunAsUser: ALL
sudoUser: %super-sudo
@millert
Copy link
Collaborator

millert commented Nov 7, 2023

I'm able to reproduce the problem. As a workaround you can edit /etc/sudo.conf to be:

Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
Plugin sudoers_audit sudoers.so ldap_conf=/etc/ldap.conf ldap_secret=/path/to/ldap-password

replacing /etc/ldap.conf with where your ldap.conf file is located.

millert added a commit that referenced this issue Nov 7, 2023
@millert
Correct the order of the strings in SUDOERS_CONTEXT_INITIALIZER.
87c193f 
Fixes GitHub issue #325, a bug introduced in sudo 1.9.15.
@millert
Copy link
Collaborator

millert commented Nov 7, 2023

This is fixed by sudo 1.9.15p1, available now.

@millert millert closed this as completed Nov 7, 2023
millert added a commit that referenced this issue Nov 9, 2023
@millert
Use C99 designated struct initializers.
e0d912d 
This is less error-prone and would have avoided GitHub issue #325.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@millert @mmelvin0