Escalated to Bugzilla from IssueTracker
Event posted on 04-07-2010 09:14am EDT by kbaxley The customer ran into a problem after updating to the latest version of nss_ldap in RHEL5.5: nss_ldap-253-25.el5 At first it looked as if there was some sort of regression in the latest revision of nss_ldap. The customer was getting reports from the field (approx. 125 affected systems) that were using LDAP to distribute sudoers information using the sudoers_base ou=SUDOers,dc=unix,dc=lanl,dc=gov directive. When they got upgraded to the latest nss_ldap release ( nss_ldap-253-25.el5 <https://rhus.lanl.gov/network/software/packages/details.pxt?pid=55411>) the sudo functionality broke. Problem: Cannot sudo when configured to use LDAP for sudoers information. Symptom: Attempt to use sudo responds with "User not in /etc/sudoers. This incident will be reported." failure message. Expected Behavior: User able to execute sudo without error. Work Around: Uninstall latest nss_ldap libraries and install previous version (nss_ldap-253-22 for RHEL 5). A later update from the customer found that this apparently was an undocumented change in behavior rather than a regression: */ This is just a follow up on our saga with getting sudo back and working on our systems. Turns out that I identified the wrong library as the issue. We are now using all of the latest rel 5 updates with no problems. The issue was that an entry in nsswitch.conf is required now. We added the line (sudoers: files ldap) to cfengine and now we can sudo again! BTW, we never found this in the documentation, just took a wild guess and it worked. /* Perhaps a clean up or updating of the documentation for nsswitch.conf is in order? This event sent from IssueTracker by kbaxley [LANL] issue 732073
Our hosts were bitten by this as well. I finally found the documentation for this new behavior here: http://www.gratisoft.us/sudo/man/sudoers.ldap.html#configuring_nsswitch_conf but this change was not mentioned in any of the errata notes for sudo packages in RHN. It appears to also be buried in the /usr/share/doc/sudo-1.7.2p1/sudoers.ldap.pod file, but that's not the first place that I would think to go spelunking. The reference in the README.LDAP file states: See the "Configuring nsswitch.conf" section in the sudoers.ldap manual for details. I initially presumed that meant "man 5 sudoers.ldap" and looked for an installed man page with that information. It is certainly not mentioned in sudoers(5). Perhaps the most sane thing is to incorporate running pod2man on that file during the RPM build to round out the documentation set where most admins will think to go looking for it. At initial glance, that is the only main documentation file that is not already installed in /usr/share/man.
BTW, This looks like it's the other side of the coin of 583644.
/usr/share/doc/sudo-1.7.2p1/sudoers.ldap.pod is part of sudo package, so reassigning to it.
Closing this as duplicate of #583644. Installation of the missing sudoers.ldap man-page will be solved as part of that bug. Sorry for the inconvenience. *** This bug has been marked as a duplicate of bug 583644 ***