| View previous topic :: View next topic |
| Author |
Message |
wellwhoopdedooo
n00b
Joined: 04 Mar 2005
Posts: 69
|
 Posted: Sun Aug 10, 2008 10:47 am Post subject: [SOLVED] sudo with ldap not finding entries |
 |
|
OK, this has driven me crazy forever, through multiple versions of sudo and openldap, and I'm at the end of my rope.
I have a sudo configured to pull entries from LDAP, and it's doing the search, from what I can tell the correct search, but I get nothing. But let's see the results:
/etc/ldap.conf.sudo:
| Code: | 1 TLS_CACERT /etc/ssl/certs/lepertheory.pem
2
3 bind_policy soft
4 nss_connect_policy oneshot
5
6 ssl start_tls
7 ssl on
8
9 suffix "dc=lepertheory,dc=net"
10 uri ldaps://ldap.lepertheory.net/ ldaps://ldap-slave1.lepertheory.net/
11
12 ldap_version 3
13 pam_filter objectclass=posixAccount
14 pam_login_attribute uid
15 pam_member_attribute memberuid
16 pam_check_host_attr yes
17
18 base "dc=lepertheory,dc=net"
19 sudoers_base "ou=sudoers,dc=lepertheory,dc=net"
20
21 sudoers_debug 2
22
23 nss_base_passwd ou=People,dc=lepertheory,dc=net
24 nss_base_shadow ou=People,dc=lepertheory,dc=net
25 nss_base_group ou=Groups,dc=lepertheory,dc=net
26 nss_base_hosts ou=Hosts,dc=lepertheory,dc=net
27
28 scope one |
sudo debug:
| Code: | davec@albania ~ $ sudo ls
LDAP Config Summary
===================
uri ldaps://ldap.lepertheory.net/ ldaps://ldap-slave1.lepertheory.net/
ldap_version 3
sudoers_base "ou=sudoers,dc=lepertheory,dc=net"
binddn (anonymous)
bindpw (anonymous)
ssl on
===================
sudo: ldap_initialize(ld, ldaps://ldap.lepertheory.net/ ldaps://ldap-slave1.lepertheory.net/)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)
sudo: ldap_simple_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))'
sudo: nothing found for '(|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: nothing found for 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_check(0)=0x44
Password:
davec is not in the sudoers file. This incident will be reported. |
ldap search with what I believe is exactly the same query as ldapsearch is executing:
| Code: | davec@albania ~ $ ldapsearch -s one -x -b "ou=sudoers,dc=lepertheory,dc=net" '(|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))'
# extended LDIF
#
# LDAPv3
# base <ou=sudoers,dc=lepertheory,dc=net> with scope oneLevel
# filter: (|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))
# requesting: ALL
#
# Defaults:%users, sudoers, lepertheory.net
dn: cn=Defaults:%users,ou=sudoers,dc=lepertheory,dc=net
objectClass: top
objectClass: sudoRole
cn: Defaults:%users
sudoUser: %users
sudoHost: env_keep
sudoCommand: TZ
# %wheel, sudoers, lepertheory.net
dn: cn=%wheel,ou=sudoers,dc=lepertheory,dc=net
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: (ALL) ALL
sudoOption: !authenticate
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2 |
slapd debug from sudo:
| Code: | >>> slap_listener(ldaps://)
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(18): unable to get TLS client DN, error=49 id=81
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
do_bind
ber_get_next
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=81 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 18
do_bind: v3 anonymous bind
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
ber_get_next
ber_get_next: tag 0x30 len 74 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">
do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")
send_ldap_result: conn=81 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=34
ber_get_next
ber_flush: 24 bytes to sd 18
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
ber_get_next
ber_get_next: tag 0x30 len 137 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">
do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")
send_ldap_result: conn=81 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=34
ber_get_next
ber_flush: 24 bytes to sd 18
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
ber_get_next
ber_get_next: tag 0x30 len 75 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">
do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")
send_ldap_result: conn=81 op=3 p=3
send_ldap_response: msgid=4 tag=101 err=34
ber_get_next
ber_flush: 24 bytes to sd 18
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
connection_closing: readying conn=81 sd=18 for close
connection_resched: attempting closing conn=81 sd=18
connection_close: conn=81 sd=18
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldaps://)
connection_get(18): got connid=82
connection_read(18): checking for input on id=82
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(18): got connid=82
connection_read(18): checking for input on id=82
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(18): unable to get TLS client DN, error=49 id=82
connection_get(18): got connid=82
connection_read(18): checking for input on id=82
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
do_bind
ber_get_next
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=82 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 18
do_bind: v3 anonymous bind
connection_get(18): got connid=82
connection_read(18): checking for input on id=82
ber_get_next
ber_get_next: tag 0x30 len 218 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=People,dc=lepertheory,dc=net>
<<< dnPrettyNormal: <ou=People,dc=lepertheory,dc=net>, <ou=people,dc=lepertheory,dc=net>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=82 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("ou=people,dc=lepertheory,dc=net")
search_candidates: base="ou=people,dc=lepertheory,dc=net" (0x00000002) scope=2
=> bdb_dn2idl("ou=people,dc=lepertheory,dc=net")
<= bdb_dn2idl: id=6 first=2 last=15
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 6 candidates
<= bdb_equality_candidates: id=6, first=4, last=15
=> bdb_equality_candidates (uid)
=> key_read
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=4, last=4
bdb_search_candidates: id=1 first=4 last=4
=> send_search_entry: conn 82 dn="uid=davec,ou=People,dc=lepertheory,dc=net"
ber_get_next
ber_flush: 68 bytes to sd 18
<= send_search_entry: conn 82 exit.
send_ldap_result: conn=82 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 18
connection_get(18): got connid=82
connection_read(18): checking for input on id=82
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
connection_closing: readying conn=82 sd=18 for close
connection_resched: attempting closing conn=82 sd=18
connection_close: conn=82 sd=18
TLS trace: SSL3 alert write:warning:close notify |
ldap debug from ldapsearch:
| Code: | >>> slap_listener(ldap://)
connection_get(18): got connid=88
connection_read(18): checking for input on id=88
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
do_bind
ber_get_next
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=88 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 18
do_bind: v3 anonymous bind
connection_get(18): got connid=88
connection_read(18): checking for input on id=88
ber_get_next
ber_get_next: tag 0x30 len 135 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>
<<< dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>, <ou=sudoers,dc=lepertheory,dc=net>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=88 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("ou=sudoers,dc=lepertheory,dc=net")
search_candidates: base="ou=sudoers,dc=lepertheory,dc=net" (0x00000009) scope=1
=> bdb_dn2idl("ou=sudoers,dc=lepertheory,dc=net")
<= bdb_dn2idl: id=4 first=10 last=13
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (sudoUser)
<= bdb_equality_candidates: (sudoUser) not indexed
=> bdb_equality_candidates (sudoUser)
<= bdb_equality_candidates: (sudoUser) not indexed
=> bdb_equality_candidates (sudoUser)
<= bdb_equality_candidates: (sudoUser) not indexed
=> bdb_equality_candidates (sudoUser)
<= bdb_equality_candidates: (sudoUser) not indexed
bdb_search_candidates: id=-1 first=10 last=13
bdb_search: 10 does not match filter
=> send_search_entry: conn 88 dn="cn=Defaults:%users,ou=sudoers,dc=lepertheory,dc=net"
ber_get_next
ber_flush: 188 bytes to sd 18
<= send_search_entry: conn 88 exit.
bdb_search: 12 does not match filter
=> send_search_entry: conn 88 dn="cn=%wheel,ou=sudoers,dc=lepertheory,dc=net"
ber_flush: 204 bytes to sd 18
<= send_search_entry: conn 88 exit.
send_ldap_result: conn=88 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 18
connection_get(18): got connid=88
connection_read(18): checking for input on id=88
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
ber_get_next on fd 18 failed errno=0 (Success)
connection_closing: readying conn=88 sd=18 for close
connection_close: deferring conn=88 sd=18
connection_resched: attempting closing conn=88 sd=18
connection_close: conn=88 sd=18 |
As you can see the two slapd outputs are pretty different, but I think the problem comes down to this:
sudo debug:
| Code: | >>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">
do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net") |
ldapsearch debug:
| Code: | >>> dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>
<<< dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>, <ou=sudoers,dc=lepertheory,dc=net> |
So... what's up with that? I was thinking maybe there was a typo that I wasn't seeing, but I've copied and pasted the base and query into ldapsearch, and that's exactly what it returns.
I'm completely baffled. Please help.
Last edited by wellwhoopdedooo on Sun Aug 10, 2008 7:08 pm; edited 1 time in total |
|
| Back to top |
|
 |
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland
|
| Posted: Sun Aug 10, 2008 11:09 am Post subject: Re: sudo with ldap not finding entries |
|
|
| wellwhoopdedooo wrote: | OK, this has driven me crazy forever, through multiple versions of sudo and openldap, and I'm at the end of my rope.
| Code: |
18 base "dc=lepertheory,dc=net"
19 sudoers_base "ou=sudoers,dc=lepertheory,dc=net"
|
|
Remove the quotes from those lines, so they will be
| Code: | base dc=lepertheory,dc=net
sudoers_base ou=sudoers,dc=lepertheory,dc=net |
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
|
wellwhoopdedooo
n00b
Joined: 04 Mar 2005
Posts: 69
|
| Posted: Sun Aug 10, 2008 11:34 am Post subject: |
|
|
Oh. My. God.
If you had any idea how long I've fought with this...
Thank you thank you thank you.
Strange thing is, the quotes work with no complaint with nss_ldap. Anyway, thanks! |
|
| Back to top |
|
|
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland
|
| Posted: Sun Aug 10, 2008 6:44 pm Post subject: |
|
|
| wellwhoopdedooo wrote: | Oh. My. God.
If you had any idea how long I've fought with this...
Thank you thank you thank you.
Strange thing is, the quotes work with no complaint with nss_ldap. Anyway, thanks! |
No problem! Please add SOLVED to the topic of this message. 
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
