Folks,
I'm new to LAM and have spent days trying to troubleshoot an issue. I'm out
of options at this point so I'm posting here.
My rootDN user is named 'admin'. The host running OpenLDAP and LAM is
called "ns1". I am doing my testing all on the same box. For clarity, I am
running Ubuntu 18.04. I have LAM set up to execute tests as the logged in
user (user "admin"). When I run the lamdaemon test I get told:
Lamdaemon server and path - OK
Unix account - OK
SSH connection - OK
Execute lamdaemon - Fail
However, when I start digging through the logs, it looks like the
lamdaemon.pl script is being executed. So I am unsure where to go from
here. I'm sure there's something dumb that I'm missing since I've been
staring at the same things for days. I'm hoping a fresh set of eyes might
see what's going on here.
First, here's the setup of my admin user. Note the posixAccount and
uidObject settings
--admin entity--
# Entry 1: cn=admin,dc=mydomain,dc=com
dn: cn=admin,dc=mydomain,dc=com
cn: admin
description: LDAP administrator
gidnumber: 1005
homedirectory: /home/admin
loginshell: /bin/bash
objectclass: simpleSecurityObject
objectclass: organizationalRole
objectclass: posixAccount
objectclass: uidObject
uid: admin
uidnumber: 1005
userpassword: {SSHA}
If I run 'id' it shows the correct groups:
-id--
admin@ns1:~$ id
uid=1005(admin) gid=1005(admin) groups=1005(admin),4(adm)
If I run sudo -l everything looks good
--sudo -l --
admin@ns1:~$ sudo -l
sudo: LDAP Config Summary
sudo: ===================
sudo: uri ldaps://ns1.mydomain.com ldap://ns1.mydomain.com:636
sudo: ldap_version 3
sudo: sudoers_base ou=SUDOers,dc=mydomain,dc=com
sudo: search_filter (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn (anonymous)
sudo: bindpw (anonymous)
sudo: ssl (no)
sudo: tls_cacertfile /etc/ssl/certs/mydomain_ca_server.pem
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertfile ->
/etc/ssl/certs/mydomain_ca_server.pem
sudo: ldap_set_option: tls_cacert -> /etc/ssl/certs/mydomain_ca_server.pem
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: found:cn=defaults,ou=SUDOers,dc=mydomain,dc=com
sudo: ldap search
'(&(objectClass=sudoRole)(|(sudoUser=admin)(sudoUser=%admin)(sudoUser=%#1005)(sudoUser=%adm)(sudoUser=%#4)(sudoUser=ALL)))'
sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com'
sudo: adding search result
sudo: result now has 1 entries
sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))'
sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com'
sudo: adding search result
sudo: result now has 1 entries
sudo: sorting remaining 1 entries
sudo: perform search for pwflag 54
sudo: done with LDAP searches
sudo: user_matches=true
sudo: host_matches=true
sudo: sudo_ldap_lookup(54)=0x882
sudo: ldap search for command list
sudo: reusing previous result (user admin) with 1 entries
Matching Defaults entries for admin on ns1:
ignore_dot, !mail_no_user, log_host, logfile=/var/log/sudo.log,
ignore_local_sudoers
User admin may run the following commands on ns1:
(ALL : ALL) NOPASSWD: /var/www/html/lam/lib/lamdaemon.pl *
If I run the test command from the command line, it works and reports back
as OK
--Run from Command Line--
admin@ns1:~$ sudo /var/www/html/lam/lib/lamdaemon.pl
+###x##y##x###test###x##y##x###basic
sudo: LDAP Config Summary
sudo: ===================
sudo: uri ldaps://ns1.mydomain.com ldap://ns1.mydomain.com:636
sudo: ldap_version 3
sudo: sudoers_base ou=SUDOers,dc=mydomain,dc=com
sudo: search_filter (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn (anonymous)
sudo: bindpw (anonymous)
sudo: ssl (no)
sudo: tls_cacertfile /etc/ssl/certs/mydomain_ca_server.pem
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertfile ->
/etc/ssl/certs/mydomain_ca_server.pem
sudo: ldap_set_option: tls_cacert -> /etc/ssl/certs/mydomain_ca_server.pem
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: found:cn=defaults,ou=SUDOers,dc=mydomain,dc=com
sudo: ldap search
'(&(objectClass=sudoRole)(|(sudoUser=admin)(sudoUser=%admin)(sudoUser=%#1005)(sudoUser=%adm)(sudoUser=%#4)(sudoUser=ALL)))'
sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com'
sudo: adding search result
sudo: result now has 1 entries
sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))'
sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com'
sudo: adding search result
sudo: result now has 1 entries
sudo: sorting remaining 1 entries
sudo: searching LDAP for sudoers entries
sudo: Command allowed
sudo: LDAP entry: 0x55cc47d673c0
sudo: done with LDAP searches
sudo: user_matches=true
sudo: host_matches=true
sudo: sudo_ldap_lookup(0)=0x02
sudo: removing reusable search result
INFO,Basic test ok
Now if I run the lamdaemon.pl test from the web interface I still get
Lamdaemon server and path - OK
Unix account - OK
SSH connection - OK
Execute lamdaemon - Fail
However, looking into the logs it looks like the command did, in fact,
execute:
--auth.log--
Feb 4 20:58:40 ns1 sshd[19619]: Accepted password for admin from 127.0.0.1
port 50110 ssh2
Feb 4 20:58:40 ns1 sshd[19619]: pam_unix(sshd:session): session opened for
user admin by (uid=0)
Feb 4 20:58:40 ns1 systemd-logind[9542]: New session 1735 of user admin.
Feb 4 20:58:40 ns1 systemd: pam_unix(systemd-user:session): session opened
for user admin by (uid=0)
Feb 4 20:58:40 ns1 sudo: admin : TTY=unknown ; PWD=/home/admin ;
USER=root ; COMMAND=/var/www/html/lam/lib/lamdaemon.pl
+###x##y##x###test###x##y##x###basic
Feb 4 20:58:40 ns1 sudo: pam_unix(sudo:session): session opened for user
root by (uid=0)
Feb 4 20:58:40 ns1 sudo: pam_unix(sudo:session): session closed for user
root
Feb 4 20:58:40 ns1 sshd[19713]: Received disconnect from 127.0.0.1 port
50110:11:
Feb 4 20:58:40 ns1 sshd[19713]: Disconnected from user admin 127.0.0.1
port 50110
Feb 4 20:58:40 ns1 sshd[19619]: pam_unix(sshd:session): session closed for
user admin
Feb 4 20:58:40 ns1 systemd-logind[9542]: Removed session 1735.
Feb 4 20:58:40 ns1 systemd: pam_unix(systemd-user:session): session closed
for user admin
--sudo.log--
Feb 4 20:58:40 : admin : HOST=ns1 : TTY=unknown ; PWD=/home/admin ;
USER=root ;
COMMAND=/var/www/html/lam/lib/lamdaemon.pl
+###x##y##x###test###x##y##x###basic
So now I'm left wondering why if 'admin' can execute the lamdaemon.pl from
the command line and it works, and it appears to work when I run it from
the test page, WHY am I still getting told that Lamdaemon failed to execute?
I'm losing my mind here
-noid
Crypto: https://keybase.io/noid
None are more hopelessly enslaved than those who falsely believe they are
free - Goethe
--
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
