[SOLVED] sudo with ldap not finding entries

[wellwhoopdedooo]

OK, this has driven me crazy forever, through multiple versions of sudo and openldap, and I'm at the end of my rope.

I have a sudo configured to pull entries from LDAP, and it's doing the search, from what I can tell the correct search, but I get nothing. But let's see the results:

/etc/ldap.conf.sudo:

Code: Select all

  1 TLS_CACERT /etc/ssl/certs/lepertheory.pem
  2
  3 bind_policy soft
  4 nss_connect_policy oneshot
  5
  6 ssl start_tls
  7 ssl on
  8
  9 suffix "dc=lepertheory,dc=net"
 10 uri    ldaps://ldap.lepertheory.net/ ldaps://ldap-slave1.lepertheory.net/
 11
 12 ldap_version 3
 13 pam_filter           objectclass=posixAccount
 14 pam_login_attribute  uid
 15 pam_member_attribute memberuid
 16 pam_check_host_attr  yes
 17
 18 base         "dc=lepertheory,dc=net"
 19 sudoers_base "ou=sudoers,dc=lepertheory,dc=net"
 20
 21 sudoers_debug 2
 22
 23 nss_base_passwd ou=People,dc=lepertheory,dc=net
 24 nss_base_shadow ou=People,dc=lepertheory,dc=net
 25 nss_base_group  ou=Groups,dc=lepertheory,dc=net
 26 nss_base_hosts  ou=Hosts,dc=lepertheory,dc=net
 27
 28 scope one

sudo debug:

Code: Select all

davec@albania ~ $ sudo ls
LDAP Config Summary
===================
uri          ldaps://ldap.lepertheory.net/ ldaps://ldap-slave1.lepertheory.net/
ldap_version 3
sudoers_base "ou=sudoers,dc=lepertheory,dc=net"
binddn       (anonymous)
bindpw       (anonymous)
ssl          on
===================
sudo: ldap_initialize(ld, ldaps://ldap.lepertheory.net/ ldaps://ldap-slave1.lepertheory.net/)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)

sudo: ldap_simple_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))'
sudo: nothing found for '(|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: nothing found for 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_check(0)=0x44
Password:
davec is not in the sudoers file.  This incident will be reported.

ldap search with what I believe is exactly the same query as ldapsearch is executing:

Code: Select all

davec@albania ~ $ ldapsearch -s one -x -b "ou=sudoers,dc=lepertheory,dc=net" '(|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))'
# extended LDIF
#
# LDAPv3
# base <ou=sudoers,dc=lepertheory,dc=net> with scope oneLevel
# filter: (|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))
# requesting: ALL
#

# Defaults:%users, sudoers, lepertheory.net
dn: cn=Defaults:%users,ou=sudoers,dc=lepertheory,dc=net
objectClass: top
objectClass: sudoRole
cn: Defaults:%users
sudoUser: %users
sudoHost: env_keep
sudoCommand: TZ

# %wheel, sudoers, lepertheory.net
dn: cn=%wheel,ou=sudoers,dc=lepertheory,dc=net
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: (ALL) ALL
sudoOption: !authenticate

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

slapd debug from sudo:

Code: Select all

>>> slap_listener(ldaps://)
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(18): unable to get TLS client DN, error=49 id=81
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
do_bind
ber_get_next
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=81 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 18
do_bind: v3 anonymous bind
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
ber_get_next
ber_get_next: tag 0x30 len 74 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">
do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")
send_ldap_result: conn=81 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=34
ber_get_next
ber_flush: 24 bytes to sd 18
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
ber_get_next
ber_get_next: tag 0x30 len 137 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">
do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")
send_ldap_result: conn=81 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=34
ber_get_next
ber_flush: 24 bytes to sd 18
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
ber_get_next
ber_get_next: tag 0x30 len 75 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">
do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")
send_ldap_result: conn=81 op=3 p=3
send_ldap_response: msgid=4 tag=101 err=34
ber_get_next
ber_flush: 24 bytes to sd 18
connection_get(18): got connid=81
connection_read(18): checking for input on id=81
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
connection_closing: readying conn=81 sd=18 for close
connection_resched: attempting closing conn=81 sd=18
connection_close: conn=81 sd=18
TLS trace: SSL3 alert write:warning:close notify
>>> slap_listener(ldaps://)
connection_get(18): got connid=82
connection_read(18): checking for input on id=82
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(18): got connid=82
connection_read(18): checking for input on id=82
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(18): unable to get TLS client DN, error=49 id=82
connection_get(18): got connid=82
connection_read(18): checking for input on id=82
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
do_bind
ber_get_next
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=82 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 18
do_bind: v3 anonymous bind
connection_get(18): got connid=82
connection_read(18): checking for input on id=82
ber_get_next
ber_get_next: tag 0x30 len 218 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=People,dc=lepertheory,dc=net>
<<< dnPrettyNormal: <ou=People,dc=lepertheory,dc=net>, <ou=people,dc=lepertheory,dc=net>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=82 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("ou=people,dc=lepertheory,dc=net")
search_candidates: base="ou=people,dc=lepertheory,dc=net" (0x00000002) scope=2
=> bdb_dn2idl("ou=people,dc=lepertheory,dc=net")
<= bdb_dn2idl: id=6 first=2 last=15
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 6 candidates
<= bdb_equality_candidates: id=6, first=4, last=15
=> bdb_equality_candidates (uid)
=> key_read
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=4, last=4
bdb_search_candidates: id=1 first=4 last=4
=> send_search_entry: conn 82 dn="uid=davec,ou=People,dc=lepertheory,dc=net"
ber_get_next
ber_flush: 68 bytes to sd 18
<= send_search_entry: conn 82 exit.
send_ldap_result: conn=82 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 18
connection_get(18): got connid=82
connection_read(18): checking for input on id=82
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
connection_closing: readying conn=82 sd=18 for close
connection_resched: attempting closing conn=82 sd=18
connection_close: conn=82 sd=18
TLS trace: SSL3 alert write:warning:close notify

ldap debug from ldapsearch:

Code: Select all

>>> slap_listener(ldap://)
connection_get(18): got connid=88
connection_read(18): checking for input on id=88
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
do_bind
ber_get_next
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=88 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 18
do_bind: v3 anonymous bind
connection_get(18): got connid=88
connection_read(18): checking for input on id=88
ber_get_next
ber_get_next: tag 0x30 len 135 contents:
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>
<<< dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>, <ou=sudoers,dc=lepertheory,dc=net>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=88 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("ou=sudoers,dc=lepertheory,dc=net")
search_candidates: base="ou=sudoers,dc=lepertheory,dc=net" (0x00000009) scope=1
=> bdb_dn2idl("ou=sudoers,dc=lepertheory,dc=net")
<= bdb_dn2idl: id=4 first=10 last=13
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (sudoUser)
<= bdb_equality_candidates: (sudoUser) not indexed
=> bdb_equality_candidates (sudoUser)
<= bdb_equality_candidates: (sudoUser) not indexed
=> bdb_equality_candidates (sudoUser)
<= bdb_equality_candidates: (sudoUser) not indexed
=> bdb_equality_candidates (sudoUser)
<= bdb_equality_candidates: (sudoUser) not indexed
bdb_search_candidates: id=-1 first=10 last=13
bdb_search: 10 does not match filter
=> send_search_entry: conn 88 dn="cn=Defaults:%users,ou=sudoers,dc=lepertheory,dc=net"
ber_get_next
ber_flush: 188 bytes to sd 18
<= send_search_entry: conn 88 exit.
bdb_search: 12 does not match filter
=> send_search_entry: conn 88 dn="cn=%wheel,ou=sudoers,dc=lepertheory,dc=net"
ber_flush: 204 bytes to sd 18
<= send_search_entry: conn 88 exit.
send_ldap_result: conn=88 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 18
connection_get(18): got connid=88
connection_read(18): checking for input on id=88
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
ber_get_next on fd 18 failed errno=0 (Success)
connection_closing: readying conn=88 sd=18 for close
connection_close: deferring conn=88 sd=18
connection_resched: attempting closing conn=88 sd=18
connection_close: conn=88 sd=18

As you can see the two slapd outputs are pretty different, but I think the problem comes down to this:

sudo debug:

Code: Select all

>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">
do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")

ldapsearch debug:

Code: Select all

>>> dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>
<<< dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>, <ou=sudoers,dc=lepertheory,dc=net>

So... what's up with that? I was thinking maybe there was a typo that I wasn't seeing, but I've copied and pasted the base and query into ldapsearch, and that's exactly what it returns.

I'm completely baffled. Please help.

[Janne Pikkarainen]

OK, this has driven me crazy forever, through multiple versions of sudo and openldap, and I'm at the end of my rope.

Code: Select all

 18 base         "dc=lepertheory,dc=net"
 19 sudoers_base "ou=sudoers,dc=lepertheory,dc=net"

Remove the quotes from those lines, so they will be

Code: Select all

base     dc=lepertheory,dc=net
sudoers_base ou=sudoers,dc=lepertheory,dc=net

[wellwhoopdedooo]

Oh. My. God.

If you had any idea how long I've fought with this...

Thank you thank you thank you.

Strange thing is, the quotes work with no complaint with nss_ldap. Anyway, thanks!

[Janne Pikkarainen]

Oh. My. God.

If you had any idea how long I've fought with this...

Thank you thank you thank you.

Strange thing is, the quotes work with no complaint with nss_ldap. Anyway, thanks!

No problem! Please add SOLVED to the topic of this message.