Bug 965124
Summary: | sudo doesn't work with users in ldap | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> |
Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | David Spurek <dspurek> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | dspurek, ebenes |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sudo-1.8.6p7-3.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 10:32:44 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Spurek
2013-05-20 13:21:26 UTC
I've tried it manually and it looks it works fine. Could you re-run the test please? If it won't work, then there might be something wrong with the test. -bash-4.2$ sudo -l [sudo] password for ldapuser20002: Matching Defaults entries for ldapuser20002 on this host: requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LOGNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User ldapuser20002 may run the following commands on this host: (ALL) /bin/true -bash-4.2$ sudo -u ldapuser20001 true -bash-4.2$ echo $? 0 -bash-4.2$ sudo true -bash-4.2$ echo $? 0 It looks fixed, test passes now: sudo-1.8.6p7-4.el7 nss-pam-ldapd-0.8.12-4.el7 sssd-1.10.1-1.el7.x86_64 Output with sudo-1.8.6p7-4.el7: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test with ldap :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'service nslcd start && sleep 2' :: [ PASS ] :: Running 'ldapsearch -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -LLL -b "ou=Sudoers,dc=example,dc=com" '*'' :: [ PASS ] :: Running 'getent passwd user1' :: [ PASS ] :: Running 'getent passwd user2' :: [ PASS ] :: Running 'getent group group_user1' :: [ PASS ] :: Running 'getent netgroup netgroup_user1' :: [ PASS ] :: Running 'getent group group_user2' :: [ PASS ] :: Running 'getent netgroup netgroup_user2' :: [ PASS ] :: Running 'ldapadd -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_add.ldif' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:#10002 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:#10001 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:%group_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:%group_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:+netgroup_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:+netgroup_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod.ldif' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:group_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:group_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:#20002 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:#20001 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'service nslcd stop && sleep 2' :: [ LOG ] :: Duration: 15s :: [ LOG ] :: Assertions: 35 good, 0 bad :: [ PASS ] :: RESULT: Test with ldap :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test with sssd :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'nsswitch_conf_sssd' :: [ PASS ] :: Running 'ldapsearch -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -LLL -b "ou=Sudoers,dc=example,dc=com" '*'' :: [ PASS ] :: Running 'service sssd start && sleep 3' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:#10002 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:#10001 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:%group_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:%group_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:+netgroup_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:+netgroup_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod.ldif' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:group_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:group_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:#20002 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:#20001 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'service sssd stop' :: [ LOG ] :: Duration: 47s :: [ LOG ] :: Assertions: 29 good, 0 bad :: [ PASS ] :: RESULT: Test with sssd output with sudo.x86_64 0:1.8.6p7-2 is in initial bug report. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |