Bug 458067 - RHEL5.2 x86_64 - sudo does not work with pam LDAP module
RHEL5.2 x86_64 - sudo does not work with pam LDAP module
Status: CLOSED DUPLICATE of bug 447408
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo (Show other bugs)
5.2
All Linux
medium Severity high
: rc
: ---
Assigned To: Peter Vrabec
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-06 09:31 EDT by Greg Sawicki
Modified: 2008-08-28 12:00 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-28 06:47:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
RHEL5.2 x86_64 - sudo does not work with pam LDAP module (1.56 KB, text/plain)
2008-08-06 09:31 EDT, Greg Sawicki
no flags Details

  None (edit)
Description Greg Sawicki 2008-08-06 09:31:51 EDT
Created attachment 313562 [details]
RHEL5.2 x86_64 - sudo does not work with pam LDAP module

See full description in the attached file.
Comment 1 Greg Sawicki 2008-08-06 10:28:41 EDT
Fedora 8 sudo-1.6.9p4-2.fc8.x86_64.rpm installed on RHEL5.2 - sudo works with pam LDAP
Comment 2 Matteo Corti 2008-08-21 09:18:05 EDT
We use LDAP for authentication but sudo just reads /etc/sudoers (i.e.,
sudo configuration is local and not on ldap).

Users can log in without problem using ldap.

When a user tries to use sudo, sudo waits and waits unable to connect
to the LDAP server.

Aug 21 11:24:08 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:08 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:08 **** sudo: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Aug 21 11:24:12 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:12 **** sudo: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Aug 21 11:24:20 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:20 **** sudo: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Aug 21 11:24:25 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:25 **** sudo: nss_ldap: could not search LDAP server - Server is unavailable
Aug 21 11:24:36 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:36 **** sudo: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Aug 21 11:24:56 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:56 **** sudo: nss_ldap: could not search LDAP server - Server is unavailable
Aug 21 11:25:08 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:25:08 **** sudo: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Aug 21 11:26:12 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:26:12 **** sudo: nss_ldap: could not search LDAP server - Server is unavailable

The failed server (ldaps://**** here) is the correct one from
/etc/ldap.conf that works (since it is used for authentication).

Compiling rebuilding sudo withou --with-ldap is a workaround if LDAP
is not needed.
Comment 3 Greg Sawicki 2008-08-21 09:39:48 EDT
Matteo,

You are missing a point here. Read again and carefully my attached description of the problem, resolution and conclusions.

Compiling without --with-ldap only circumvents a bug that exists in sudo-1.6.8p12-12.el5 package.

Compiling latest sudo-1.6.9p17.tar.gz using all the same switches (extracted from RHEL source RPM spec file) that RHEL5 is using in their sudo-1.6.8p12-12.el5 package, including --with-ldap, produces properly working binaries. So that is a proof right there that there is a bug in RHEL version that does not exist in latest generic version.

We are not storing sudoers on LDAP server. We use /etc/sudoers local to the client host.

We do not use generic LDAP authentication, the one that uses /etc/ldap.conf
We use pam LDAP module for reasons very specific to our organization.

I did not check the spec file from Fedora 8 sudo-1.6.9p4-2.fc8.x86_64.rpm but I suspect it is not different from RHEL5 one. It is just newer source base used that seems to have this bug fixed already and it works fine on RHEL5 system.
Comment 4 Matteo Corti 2008-08-21 09:50:09 EDT
Dear Greg,

yes this is more or less what I wanted to say :-)

I just wanted to post the /var/log/messages entries relevant to the problem.

I could try to compile sudo-1.6.9p17.tar.gz as you did applying the same patches RH applies to see if one of them is the problem (you tried the same configuration options and they worked so they should not be the problem).

Matteo
Comment 5 Matteo Corti 2008-08-21 10:20:21 EDT
I rebuilt the very same RPM using 1.6.9p17 and the following changes:

 * Added BuildRequires: openldap-devel (not relevant but was missing :-)
 * Removed (no more necessary):
     sudo-1.6.8p8-pam-sess.patch
     sudo-1.6.8p12-pam-login.patch
     sudo-1.6.8p12-ipv6.patch
     sudo-1.6.8p12-audit.patch
 * Removed
     sudo-1.6.8p12-s390.patch
   this one could not be applied and I didn't really look at it so it
   might be necessary to check

The new build works with all the RH configuration patches and --with-ldap

If you want to test it:

http://yum.id.ethz.ch/yum/redhat/el5/i386/ethz/RPMS/sudo-1.6.9p17-1.i386.rpm
http://yum.id.ethz.ch/yum/redhat/el5/i386/ethz/SRPMS/sudo-1.6.9p17-1.src.rpm

Matteo
Comment 6 Matteo Corti 2008-08-21 10:26:53 EDT
I forgot: the problem can be reproduced on i386 too (our case). So the platform 'x86_64' of the bug should be updated (-> any).
Comment 7 Greg Sawicki 2008-08-21 10:45:50 EDT
Matteo,

Thanks for all the ground work. We have obvious conclusion here. Time for RHEL to act on this bug. I hope at least 5.3 will address that. An updated working rpm before 5.3 is out would be nice.

My solution for now is Fedora rpm as it works for me. But it is one off that I would rather avoid hence RHEL fixed rpm would be nice.

I am also trying to change "Platform" qualifier for this bug to "All"

/gs
Comment 8 Peter Vrabec 2008-08-28 06:47:10 EDT

*** This bug has been marked as a duplicate of bug 447408 ***
Comment 9 Matteo Corti 2008-08-28 09:23:44 EDT
If I try to see what this bug duplicates (#447408) I get an access denied error:

You are not authorized to access bug #447408.

Does this mean that a security issue is involved? In this case it would be nice to see a statement and at least what is happening with the bug ... (priority, status, ...).

Or it's simply a bug?

Matteo
Comment 10 Peter Vrabec 2008-08-28 12:00:08 EDT
Hi, I'm sorry there is access denied.

#447408 is just the same request with issue tracked score. #447408 went thru the whole process of evaluation if the package should be rebased or not. The rebase was allowed, so engineering and QA group work on it. If everything works as expected, updated sudo package will be available in next update.

Note You need to log in before you can comment on or make changes to this bug.