Hi Dave, looks like sudo prints a lot of debug output. This will confuse LAM as the result message is not found then. So first step would be to disable the debug output.
If it still does not work please check syslog for any messages from lamdaemon. Also check LAM's own log messages. Here setting debug log level is fine: https://www.ldap-account-manager.org/static/doc/manual/ch03.html#conf_logging Best regards Roland Am 5. Februar 2020 01:12:13 MEZ schrieb Dave Null <[email protected]>: >Folks, > >I'm new to LAM and have spent days trying to troubleshoot an issue. I'm >out >of options at this point so I'm posting here. > >My rootDN user is named 'admin'. The host running OpenLDAP and LAM is >called "ns1". I am doing my testing all on the same box. For clarity, I >am >running Ubuntu 18.04. I have LAM set up to execute tests as the logged >in >user (user "admin"). When I run the lamdaemon test I get told: > >Lamdaemon server and path - OK >Unix account - OK >SSH connection - OK >Execute lamdaemon - Fail > >However, when I start digging through the logs, it looks like the >lamdaemon.pl script is being executed. So I am unsure where to go from >here. I'm sure there's something dumb that I'm missing since I've been >staring at the same things for days. I'm hoping a fresh set of eyes >might >see what's going on here. > >First, here's the setup of my admin user. Note the posixAccount and >uidObject settings > >--admin entity-- ># Entry 1: cn=admin,dc=mydomain,dc=com >dn: cn=admin,dc=mydomain,dc=com >cn: admin >description: LDAP administrator >gidnumber: 1005 >homedirectory: /home/admin >loginshell: /bin/bash >objectclass: simpleSecurityObject >objectclass: organizationalRole >objectclass: posixAccount >objectclass: uidObject >uid: admin >uidnumber: 1005 >userpassword: {SSHA} > >If I run 'id' it shows the correct groups: >-id-- >admin@ns1:~$ id >uid=1005(admin) gid=1005(admin) groups=1005(admin),4(adm) > >If I run sudo -l everything looks good >--sudo -l -- >admin@ns1:~$ sudo -l >sudo: LDAP Config Summary >sudo: =================== >sudo: uri ldaps://ns1.mydomain.com >ldap://ns1.mydomain.com:636 >sudo: ldap_version 3 >sudo: sudoers_base ou=SUDOers,dc=mydomain,dc=com >sudo: search_filter (objectClass=sudoRole) >sudo: netgroup_base (NONE: will use nsswitch) >sudo: netgroup_search_filter (objectClass=nisNetgroup) >sudo: binddn (anonymous) >sudo: bindpw (anonymous) >sudo: ssl (no) >sudo: tls_cacertfile /etc/ssl/certs/mydomain_ca_server.pem >sudo: =================== >sudo: ldap_set_option: debug -> 0 >sudo: ldap_set_option: tls_cacertfile -> >/etc/ssl/certs/mydomain_ca_server.pem >sudo: ldap_set_option: tls_cacert -> >/etc/ssl/certs/mydomain_ca_server.pem >sudo: ldap_set_option: ldap_version -> 3 >sudo: ldap_sasl_bind_s() ok >sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults)) >sudo: found:cn=defaults,ou=SUDOers,dc=mydomain,dc=com >sudo: ldap search >'(&(objectClass=sudoRole)(|(sudoUser=admin)(sudoUser=%admin)(sudoUser=%#1005)(sudoUser=%adm)(sudoUser=%#4)(sudoUser=ALL)))' >sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com' >sudo: adding search result >sudo: result now has 1 entries >sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))' >sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com' >sudo: adding search result >sudo: result now has 1 entries >sudo: sorting remaining 1 entries >sudo: perform search for pwflag 54 >sudo: done with LDAP searches >sudo: user_matches=true >sudo: host_matches=true >sudo: sudo_ldap_lookup(54)=0x882 >sudo: ldap search for command list >sudo: reusing previous result (user admin) with 1 entries >Matching Defaults entries for admin on ns1: > ignore_dot, !mail_no_user, log_host, logfile=/var/log/sudo.log, >ignore_local_sudoers > >User admin may run the following commands on ns1: > (ALL : ALL) NOPASSWD: /var/www/html/lam/lib/lamdaemon.pl * > >If I run the test command from the command line, it works and reports >back >as OK >--Run from Command Line-- >admin@ns1:~$ sudo /var/www/html/lam/lib/lamdaemon.pl > +###x##y##x###test###x##y##x###basic >sudo: LDAP Config Summary >sudo: =================== >sudo: uri ldaps://ns1.mydomain.com >ldap://ns1.mydomain.com:636 >sudo: ldap_version 3 >sudo: sudoers_base ou=SUDOers,dc=mydomain,dc=com >sudo: search_filter (objectClass=sudoRole) >sudo: netgroup_base (NONE: will use nsswitch) >sudo: netgroup_search_filter (objectClass=nisNetgroup) >sudo: binddn (anonymous) >sudo: bindpw (anonymous) >sudo: ssl (no) >sudo: tls_cacertfile /etc/ssl/certs/mydomain_ca_server.pem >sudo: =================== >sudo: ldap_set_option: debug -> 0 >sudo: ldap_set_option: tls_cacertfile -> >/etc/ssl/certs/mydomain_ca_server.pem >sudo: ldap_set_option: tls_cacert -> >/etc/ssl/certs/mydomain_ca_server.pem >sudo: ldap_set_option: ldap_version -> 3 >sudo: ldap_sasl_bind_s() ok >sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults)) >sudo: found:cn=defaults,ou=SUDOers,dc=mydomain,dc=com >sudo: ldap search >'(&(objectClass=sudoRole)(|(sudoUser=admin)(sudoUser=%admin)(sudoUser=%#1005)(sudoUser=%adm)(sudoUser=%#4)(sudoUser=ALL)))' >sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com' >sudo: adding search result >sudo: result now has 1 entries >sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))' >sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com' >sudo: adding search result >sudo: result now has 1 entries >sudo: sorting remaining 1 entries >sudo: searching LDAP for sudoers entries >sudo: Command allowed >sudo: LDAP entry: 0x55cc47d673c0 >sudo: done with LDAP searches >sudo: user_matches=true >sudo: host_matches=true >sudo: sudo_ldap_lookup(0)=0x02 >sudo: removing reusable search result >INFO,Basic test ok > >Now if I run the lamdaemon.pl test from the web interface I still get > >Lamdaemon server and path - OK >Unix account - OK >SSH connection - OK >Execute lamdaemon - Fail > >However, looking into the logs it looks like the command did, in fact, >execute: >--auth.log-- >Feb 4 20:58:40 ns1 sshd[19619]: Accepted password for admin from >127.0.0.1 >port 50110 ssh2 >Feb 4 20:58:40 ns1 sshd[19619]: pam_unix(sshd:session): session opened >for >user admin by (uid=0) >Feb 4 20:58:40 ns1 systemd-logind[9542]: New session 1735 of user >admin. >Feb 4 20:58:40 ns1 systemd: pam_unix(systemd-user:session): session >opened >for user admin by (uid=0) >Feb 4 20:58:40 ns1 sudo: admin : TTY=unknown ; PWD=/home/admin ; >USER=root ; COMMAND=/var/www/html/lam/lib/lamdaemon.pl > +###x##y##x###test###x##y##x###basic >Feb 4 20:58:40 ns1 sudo: pam_unix(sudo:session): session opened for >user >root by (uid=0) >Feb 4 20:58:40 ns1 sudo: pam_unix(sudo:session): session closed for >user >root >Feb 4 20:58:40 ns1 sshd[19713]: Received disconnect from 127.0.0.1 >port >50110:11: >Feb 4 20:58:40 ns1 sshd[19713]: Disconnected from user admin 127.0.0.1 >port 50110 >Feb 4 20:58:40 ns1 sshd[19619]: pam_unix(sshd:session): session closed >for >user admin >Feb 4 20:58:40 ns1 systemd-logind[9542]: Removed session 1735. >Feb 4 20:58:40 ns1 systemd: pam_unix(systemd-user:session): session >closed >for user admin > >--sudo.log-- >Feb 4 20:58:40 : admin : HOST=ns1 : TTY=unknown ; PWD=/home/admin ; >USER=root ; > COMMAND=/var/www/html/lam/lib/lamdaemon.pl > +###x##y##x###test###x##y##x###basic > >So now I'm left wondering why if 'admin' can execute the lamdaemon.pl >from >the command line and it works, and it appears to work when I run it >from >the test page, WHY am I still getting told that Lamdaemon failed to >execute? > >I'm losing my mind here > >-noid > >Crypto: https://keybase.io/noid >None are more hopelessly enslaved than those who falsely believe they >are >free - Goethe >--
_______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public
