Bug 1118336

Summary: sudo: invalid sudoHost filter with asterisk
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0CC: grajaiya, jgalipea, jhrozek, lslebodn, mkosek, nkarandi, pbrezina, preichl, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.6-16.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1118339 (view as bug list) Environment:
Last Closed: 2014-10-14 04:48:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1118339    

Description Dmitri Pal 2014-07-10 13:08:04 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2377


{{{
(sudoHost=*\**) should be replaced with (sudoHost=*\2A*)
}}}
 according to rfc http://tools.ietf.org/html/rfc4515, otherwise the filter is invalid.
Comment 1 Jakub Hrozek 2014-07-29 13:44:29 UTC 
Fixed upstream:
    master:
        8c4abd227035169e75cb081424765e65c52b5266 
    sssd-1-11:
        552f9bc07d15c371090a5514bb1821a7e4505203
Comment 3 Nirupama Karandikar 2014-09-10 08:07:02 UTC 
Hello,

Could you please provide steps to reproduce the issue.

Thanks,

Nirupama
Comment 4 Jakub Hrozek 2014-09-10 12:19:30 UTC 
I would only perform regression testing for sudo. The servers we ship in RHEL didn't exhibit the issue.
Comment 5 Nirupama Karandikar 2014-09-11 08:48:49 UTC 
Tested with sssd-1.11.6-29.el6.x86_64

1. Configure sssd with "sudo_provider = ldap". Restart sssd service.

2. From /var/log/sssd/sssd_LDAP.log

(Thu Sep 11 14:18:02 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=dhcp207-31.lab.eng.pnq.redhat.com)(sudoHost=dhcp207-31)(sudoHost=10.65.207.31)(sudoHost=10.65.206.0/23)(sudoHost=fe80::5054:ff:feec:c24a)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][dc=example,dc=com].

The "(sudoHost=*\2A*)" with older version has "(sudoHost=*\**)" in the domain logs.
Comment 6 errata-xmlrpc 2014-10-14 04:48:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html