Fwd: SSSD not using 389-ds to auth for SUDO
by Bindu G
Hello All,
ldapsearch output as follows:
# LDAPAdministrator1, Groups, cee, nsn
dn: cn=LDAPAdministrator1,ou=Groups,ou=cee,o=nsn
member: uid=bindu1,ou=People,ou=cee,o=nsn
member: uid=bindu2,ou=People,ou=cee,o=nsn
objectClass: top
objectClass: groupofnames
objectClass: posixGroup
objectClass: nsMemberOf
cn: LDAPAdministrator1
gidNumber: 1520
# %LDAPAdministrator1, Groups, cee, nsn
dn: cn=%LDAPAdministrator1,ou=Groups,ou=cee,o=nsn
cn: %LDAPAdministrator1
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoRunAsUser: ALL
sudoUser: %LDAPAdministrator1
/etc/sssd/sssd.conf
[nss]
enum_cache_timeout = 30
filter_users = root
filter_groups = root
reconnection_retries = 3
memcache_timeout = 3600
[pam]
offline_credentials_expiration = 3
offline_failed_login_attempts = 5
[sudo]
debug_level = 9
[ssh]
[domain/cee]
debug_level = 9
full_name_format = %1$s
min_id = 1500
max_id = 41999
enumerate = true
cache_credentials = true
account_cache_expiration = 5
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://lcm-int-vip
ldap_tls_reqcert = demand
ldap_tls_cacert = /var/lib/pki/endpoints/sssd/cacert/infrastructure-chain.pem
ldap_id_use_start_tls = true
ldap_enumeration_refresh_timeout = 10
ldap_purge_cache_timeout = 60
entry_cache_timeout = 600
ldap_network_timeout = 2
ldap_user_search_base = ou=People,ou=cee,o=nsn
ldap_schema = rfc2307bis
ldap_default_bind_dn = uid=sssdadmin_infra,ou=ServiceUsers,ou=cee,o=nsn
ldap_default_authtok_type = password
ldap_default_authtok = IPgqe9ihhWUXWUeVo2bp3caiZ4HUzP4VdZI6KvKo
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = description
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_ns_account_lock = nsAccountLock
ldap_user_ssh_public_key = sshPublicKey
ldap_group_object_class = posixGroup
ldap_group_name = cn
ldap_group_gid_number = gidNumber
ldap_group_member = member
ldap_pwd_policy = none
ldap_account_expire_policy = 389ds
ldap_access_order = filter, expireldap_access_filter =
(|(memberOf=cn=group1,ou=groups,ou=cee,o=nsn)(memberOf=cn=LDAPAdministrator1,ou=Groups,ou=cee,o=nsn))
sudo_provider = ldap
ldap_sudo_search_base = cn=%LDAPAdministrator1,ou=Groups,ou=cee,o=nsn
when I try to run sudo su command it’s prompting for password and in
the logs I can see
(2024-01-19 15:32:59): [sudo] [cache_req_done] (0x0400): CR #13:
Finished: Success
(2024-01-19 15:32:59): [sudo] [sysdb_get_sudo_user_info] (0x0400):
Original name: bindu2@cee
(2024-01-19 15:32:59): [sudo] [sysdb_get_sudo_user_info] (0x0400):
Cased name: bindu2@cee
(2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200):
Searching sysdb with
[(&(objectClass=sudoRule)(dataExpireTimestamp<=1705674779)(|(name=defaults)(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee)(sudoUser=+
*)))](2024-01-19 15:32:59): [sudo] [sudosrv_refresh_rules_send]
(0x0400): No expired rules were found for [bindu2@cee(a)cee].(2024-01-19
15:32:59): [sudo] [sudosrv_fetch_rules] (0x0400): Retrieving rules for
[bindu2@cee@cee](2024-01-19 15:32:59): [sudo] [sudosrv_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee)))](2024-01-19
15:32:59): [sudo] [sudosrv_cached_rules_by_user] (0x0400): Replacing
sudoUser attribute with sudoUser: #1602(2024-01-19 15:32:59): [sudo]
[sudosrv_query_cache] (0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee))))]
(2024-01-19 15:32:59): [sudo] [sudosrv_fetch_rules] (0x0400):
Returning 0 rules for [bindu2@cee@cee]
(2024-01-19 15:32:59): [sudo] [sudosrv_build_response] (0x2000): error: [0]
(2024-01-19 15:32:59): [sudo] [sudosrv_build_response] (0x2000): rules_num: [0]
Any help is highly appreciated.
Thanks,
Bindu
3 months