Bug 965124 - sudo doesn't work with users in ldap
sudo doesn't work with users in ldap
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sudo (Show other bugs)
7.0
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Daniel Kopeček
David Spurek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-20 09:21 EDT by David Spurek
Modified: 2015-03-02 00:27 EST (History)
2 users (show)

See Also:
Fixed In Version: sudo-1.8.6p7-3.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 06:32:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Spurek 2013-05-20 09:21:26 EDT
Description of problem:
Sudo doesn't work with users in ldap, this is a regression with new build

Version-Release number of selected component (if applicable):
sudo-1.8.6p7-2.el7

How reproducible:
always

Steps to Reproduce:
1.run reproducer test
2.
3.

Actual results:
all test cases fail with:
user1 is not in the sudoers file.  This incident will be reported.

Expected results:
sudo works correctly

Additional info:
Test results with new package:
openldap-2.4.35-3.2.el7.x86_64
:: [   PASS   ] :: Checking for the presence of openldap rpm
sudo-1.8.6p7-2.el7.x86_64
:: [   PASS   ] :: Checking for the presence of sudo rpm
nss-pam-ldapd-0.8.12-4.el7.x86_64
:: [   PASS   ] :: Checking for the presence of nss-pam-ldapd rpm
libsss_sudo-1.10.0-3.el7.beta1.x86_64
:: [   PASS   ] :: Checking for the presence of libsss_sudo rpm
sssd-1.10.0-3.el7.beta1.x86_64
:: [   PASS   ] :: Checking for the presence of sssd rpm
openldap-clients-2.4.35-3.2.el7.x86_64
:: [   PASS   ] :: Checking for the presence of openldap-clients rpm
openldap-servers-2.4.35-3.2.el7.x86_64
:: [   PASS   ] :: Checking for the presence of openldap-servers rpm

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test with ldap
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'service nslcd start && sleep 2'
:: [   PASS   ] :: Running 'ldapsearch -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -LLL -b "ou=Sudoers,dc=example,dc=com" '*''
:: [   PASS   ] :: Running 'getent passwd user1'
:: [   PASS   ] :: Running 'getent passwd user2'
:: [   PASS   ] :: Running 'getent group group_user1'
:: [   PASS   ] :: Running 'getent netgroup netgroup_user1'
:: [   PASS   ] :: Running 'getent group group_user2'
:: [   PASS   ] :: Running 'getent netgroup netgroup_user2'
:: [   PASS   ] :: Running 'ldapadd -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_add.ldif'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user2 should be ALLOWED
:: [   FAIL   ] :: Running 'su user1 -c 'sudo -u user2 true'' (Expected 0, got 1)
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10002 should be ALLOWED
:: [   FAIL   ] :: Running 'su user1 -c 'sudo -u user2 true'' (Expected 0, got 1)
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user2 should be ALLOWED
:: [   FAIL   ] :: Running 'su user1 -c 'sudo -u user2 true'' (Expected 0, got 1)
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user2 should be ALLOWED
:: [   FAIL   ] :: Running 'su user1 -c 'sudo -u user2 true'' (Expected 0, got 1)
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod.ldif'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user2 should be ALLOWED
:: [   FAIL   ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' (Expected 0, got 1)
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20002 should be ALLOWED
:: [   FAIL   ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' (Expected 0, got 1)
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'service nslcd stop && sleep 2'
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 29 good, 6 bad
:: [   FAIL   ] :: RESULT: Test with ldap

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test with sssd
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'nsswitch_conf_sssd'
:: [   PASS   ] :: Running 'ldapsearch -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -LLL -b "ou=Sudoers,dc=example,dc=com" '*''
:: [   PASS   ] :: Running 'service sssd start && sleep 3'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10002 should be ALLOWED
:: [   FAIL   ] :: Running 'su user1 -c 'sudo -u user2 true'' (Expected 0, got 1)
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod.ldif'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20002 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'service sssd stop'
:: [   LOG    ] :: Duration: 46s
:: [   LOG    ] :: Assertions: 28 good, 1 bad
:: [   FAIL   ] :: RESULT: Test with sssd


---------------------------------------------------------------
Test results with old package

openldap-2.4.35-3.2.el7.x86_64
:: [   PASS   ] :: Checking for the presence of openldap rpm
sudo-1.8.6p3-3.el7.x86_64
:: [   PASS   ] :: Checking for the presence of sudo rpm
nss-pam-ldapd-0.8.12-4.el7.x86_64
:: [   PASS   ] :: Checking for the presence of nss-pam-ldapd rpm
libsss_sudo-1.10.0-3.el7.beta1.x86_64
:: [   PASS   ] :: Checking for the presence of libsss_sudo rpm
sssd-1.10.0-3.el7.beta1.x86_64
:: [   PASS   ] :: Checking for the presence of sssd rpm
openldap-clients-2.4.35-3.2.el7.x86_64
:: [   PASS   ] :: Checking for the presence of openldap-clients rpm
openldap-servers-2.4.35-3.2.el7.x86_64
:: [   PASS   ] :: Checking for the presence of openldap-servers rpm

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test with ldap
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'service nslcd start && sleep 2'
:: [   PASS   ] :: Running 'ldapsearch -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -LLL -b "ou=Sudoers,dc=example,dc=com" '*''
:: [   PASS   ] :: Running 'getent passwd user1'
:: [   PASS   ] :: Running 'getent passwd user2'
:: [   PASS   ] :: Running 'getent group group_user1'
:: [   PASS   ] :: Running 'getent netgroup netgroup_user1'
:: [   PASS   ] :: Running 'getent group group_user2'
:: [   PASS   ] :: Running 'getent netgroup netgroup_user2'
:: [   PASS   ] :: Running 'ldapadd -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_add.ldif'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10002 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod.ldif'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20002 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'service nslcd stop && sleep 2'
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 35 good, 0 bad
:: [   PASS   ] :: RESULT: Test with ldap

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test with sssd
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'nsswitch_conf_sssd'
:: [   PASS   ] :: Running 'ldapsearch -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -LLL -b "ou=Sudoers,dc=example,dc=com" '*''
:: [   PASS   ] :: Running 'service sssd start && sleep 3'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10002 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod.ldif'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20002 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'service sssd stop'
:: [   LOG    ] :: Duration: 47s
:: [   LOG    ] :: Assertions: 29 good, 0 bad
:: [   PASS   ] :: RESULT: Test with sssd
Comment 3 Daniel Kopeček 2013-07-25 11:39:40 EDT
I've tried it manually and it looks it works fine. Could you re-run the test please? If it won't work, then there might be something wrong with the test.

-bash-4.2$ sudo -l
[sudo] password for ldapuser20002: 
Matching Defaults entries for ldapuser20002 on this host:
    requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
    KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LOGNAME LANG
    LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User ldapuser20002 may run the following commands on this host:
    (ALL) /bin/true
-bash-4.2$ sudo -u ldapuser20001 true
-bash-4.2$ echo $?
0
-bash-4.2$ sudo true
-bash-4.2$ echo $?
0
Comment 4 David Spurek 2013-08-01 07:30:41 EDT
It looks fixed, test passes now:

sudo-1.8.6p7-4.el7
nss-pam-ldapd-0.8.12-4.el7
sssd-1.10.1-1.el7.x86_64

Output with sudo-1.8.6p7-4.el7:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test with ldap
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'service nslcd start && sleep 2'
:: [   PASS   ] :: Running 'ldapsearch -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -LLL -b "ou=Sudoers,dc=example,dc=com" '*''
:: [   PASS   ] :: Running 'getent passwd user1'
:: [   PASS   ] :: Running 'getent passwd user2'
:: [   PASS   ] :: Running 'getent group group_user1'
:: [   PASS   ] :: Running 'getent netgroup netgroup_user1'
:: [   PASS   ] :: Running 'getent group group_user2'
:: [   PASS   ] :: Running 'getent netgroup netgroup_user2'
:: [   PASS   ] :: Running 'ldapadd -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_add.ldif'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10002 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod.ldif'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20002 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'service nslcd stop && sleep 2'
:: [   LOG    ] :: Duration: 15s
:: [   LOG    ] :: Assertions: 35 good, 0 bad
:: [   PASS   ] :: RESULT: Test with ldap

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test with sssd
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'nsswitch_conf_sssd'
:: [   PASS   ] :: Running 'ldapsearch -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -LLL -b "ou=Sudoers,dc=example,dc=com" '*''
:: [   PASS   ] :: Running 'service sssd start && sleep 3'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10002 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:#10001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:%group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsUser:+netgroup_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -u user2 true''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod.ldif'
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user2 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:group_user1 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20002 should be ALLOWED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif'
:: [   LOG    ] :: sudoRunAsGroup:#20001 should be DENIED
:: [   PASS   ] :: Running 'su user1 -c 'sudo -g group_user2 groups''
:: [   PASS   ] :: Running 'service sssd stop'
:: [   LOG    ] :: Duration: 47s
:: [   LOG    ] :: Assertions: 29 good, 0 bad
:: [   PASS   ] :: RESULT: Test with sssd


output with sudo.x86_64 0:1.8.6p7-2 is in initial bug report.
Comment 5 Ludek Smid 2014-06-13 06:32:44 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.