Bug 1118339 - sudo: invalid sudoHost filter with asterisk
Summary: sudo: invalid sudoHost filter with asterisk
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On: 1118336
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-10 13:10 UTC by Dmitri Pal
Modified: 2015-03-05 10:32 UTC (History)
9 users (show)

Fixed In Version: sssd-1.12.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1118336
Environment:
Last Closed: 2015-03-05 10:32:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0441 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-03-05 15:05:27 UTC

Description Dmitri Pal 2014-07-10 13:10:08 UTC
+++ This bug was initially created as a clone of Bug #1118336 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2377


{{{
(sudoHost=*\**) should be replaced with (sudoHost=*\2A*)
}}}
 according to rfc http://tools.ietf.org/html/rfc4515, otherwise the filter is invalid.

Comment 1 Jakub Hrozek 2014-07-31 10:34:10 UTC
    master:
        8c4abd227035169e75cb081424765e65c52b5266 
    sssd-1-11:
        552f9bc07d15c371090a5514bb1821a7e4505203

Comment 3 Nirupama Karandikar 2015-01-13 12:30:24 UTC
Tested with sssd-1.12.2-39.el7.x86_64

1. Configure sssd with "sudo_provider = ldap". Restart sssd service.

2. From /var/log/sssd/sssd_LDAP.log

(Tue Jan 13 17:54:40 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=dhcp207-182.sssdad2012.com)(sudoHost=dhcp207-182)(sudoHost=10.65.207.182)(sudoHost=10.65.206.0/23)(sudoHost=fe80::5054:ff:fe59:37c6)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][dc=example,dc=com].

The "(sudoHost=*\2A*)" with older version has "(sudoHost=*\**)" in the domain logs.

Comment 5 errata-xmlrpc 2015-03-05 10:32:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html


Note You need to log in before you can comment on or make changes to this bug.