Red Hat Bugzilla – Bug 1118339
sudo: invalid sudoHost filter with asterisk
Last modified: 2015-03-05 05:32:57 EST
+++ This bug was initially created as a clone of Bug #1118336 +++ This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2377 {{{ (sudoHost=*\**) should be replaced with (sudoHost=*\2A*) }}} according to rfc http://tools.ietf.org/html/rfc4515, otherwise the filter is invalid.
master: 8c4abd227035169e75cb081424765e65c52b5266 sssd-1-11: 552f9bc07d15c371090a5514bb1821a7e4505203
Tested with sssd-1.12.2-39.el7.x86_64 1. Configure sssd with "sudo_provider = ldap". Restart sssd service. 2. From /var/log/sssd/sssd_LDAP.log (Tue Jan 13 17:54:40 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=dhcp207-182.sssdad2012.com)(sudoHost=dhcp207-182)(sudoHost=10.65.207.182)(sudoHost=10.65.206.0/23)(sudoHost=fe80::5054:ff:fe59:37c6)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][dc=example,dc=com]. The "(sudoHost=*\2A*)" with older version has "(sudoHost=*\**)" in the domain logs.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html