On Sat, Nov 21, 2015 at 02:21:52AM +0000, Jeffrey Stormshak wrote: > Rob - > Here’s the test configurations/data when I manipulate the BINDDN/BINDPW > fields to get get both AUTH and SUDO to work in Linux 5.5. I have three > questions below that I would like to get your comments on or see what you may > recommend on this. I’m seriously perplexed on this as to why its working > this way … Please advise. Thanks! > > ************************************************************** > AUTH successful on login; SUDO fails with the message listed > below !! > ************************************************************** > [mjsmith@chi-infra-idm-client2 ~]$ sudo -l > sudo: ldap_sasl_bind_s(): Server is unwilling to perform
Looks like the bind didn't finish successfully, can you look into debugging sudo itself? The debugging changed a bit between releases, but The sudo documentation would tell you.. > [sudo] password for mjsmith: > Sorry, user mjsmith may not run sudo on chi-infra-idm-client2. > ***************************************************** > > ***************************************************** > # grep -iv ‘#’ /etc/ldap.conf > ***************************************************** > base dc=linuxcccis,dc=com > uri ldap://chi-infra-idm-p1.linuxcccis.com/ > binddn uid=admin,cn=users,cn=compat,dc=linuxcccis,dc=com > bindpw secret_pass > timelimit 15 > bind_timelimit 5 > idle_timelimit 3600 > nss_initgroups_ignoreusers > root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm > pam_password md5 > sudoers_base ou=SUDOers,dc=linuxcccis,dc=com > > ************************************************* > User Account AUTH and SUDO works when > commenting both the binddn and bindpw fields !! > ************************************************* > vi /etc/ldap.conf … Comment these two fields … > #binddn uid=admin,cn=users,cn=compat,dc=linuxcccis,dc=com > #bindpw secret_pass > > ************************************************ > This file unchanged during the above testing !! > ************************************************ > /etc/sudo-ldap.conf: > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=linuxcccis,dc=com > bindpw secret_pass > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > bind_timelimit 5 > timelimit 15 > uri ldap://chi-infra-idm-p1.linuxcccis.com > sudoers_base ou=SUDOers,dc=linuxcccis,dc=com > > QUESTIONS: > 1) What BINDN account needs to be specified to allow the BINDDN/BINDPW to > work for SUDO? > 2) Why does the AUTH work when setting values in the BINDDN/BINDPW, but SUDO > then fails? > 3) If I leave BINDDN/BINDPW blank, what security risks are being introduced > by leaving it that way? Anyone on the network can read sudo rules. I guess in theory, the attacker might target accounts who are allowed to run sudo rules as a gateway for getting elevated privileges on the machine.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project