Score:0

Trying to get sudoers working on openldap/centos7

in flag

I was following this tutorial here:

https://kifarunix.com/how-to-configure-sudo-via-openldap-server/

A lot of it made sense, but still new to openldap so some of this is cryptic too. I have the openldap running with users authenticating on other machines even working with phpldapadmin. So it was time to get sudoers working for some users. I ran the sudoers2ldif command and got a file similar to what was showed in the tutorial, and edited it accordingly. When It came time to run ldapadd -Y EXTERNAL -H ldapi:/// -f sudoers_modified.ldif it failed with the error:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=defaults,ou=SUDOers,dc=apo,dc=local"
ldap_add: Invalid syntax (21)
    additional info: objectClass: value #1 invalid per syntax

Is the 21, the line number of the .ldif file? Or some other error code...also no idea what is invalid on the objectClass command... posted is the ldif file below.

dn: cn=defaults,ou=SUDOers,dc=bbb,dc=local
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin

dn: cn=sudo,OU=SUDOers,dc=bbb,dc=local
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: bobby
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

Maybe sudoRole needs to be added somehow? The other ldif I added successfully for this was:

dn: ou=SUDOers,dc=bbb,dc=local
objectCLass: top
objectClass: organizationalUnit
ou: SUDOers
description: BBB SUDOers container

I had found another tutorial here:

https://forums.centos.org/viewtopic.php?t=73807

With similar information slightly different, I didn't use this one because one of the ldif files that was posted had a ton of stuff that said it was 'autogenerated' and I had no idea how or where it came from.

After the one answer, I believe the file showed on the above link that has the data:

vi /testfolder/sudoers.ldif
#------------------------
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 b181185c
dn: cn=sudoers,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudoers
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s
) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substrin
gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s
) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring
sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Com
mand(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
.1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(
s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3
.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Opti
ons(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466
.115.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'U
ser(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.
1466.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC '
Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'S
tart of time interval for which the entry is valid' EQUALITY generalizedTim
eMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.24 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'En
d of time interval for which the entry is valid' EQUALITY generalizedTimeMa
tch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.24 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an i
nteger to order the sudoRole entries' EQUALITY integerMatch ORDERING intege
rOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer
Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand
$ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ su
doNotBefore $ sudoNotAfter $ description ) )

Once I realized the file was the schema I added it and finally got this all working so in a round about way I accepted the answer even though I had to dig into what I was doing a bit more. Btw the schema file wasn't used in my ldap I had to add it via the ldapadd

Richard Salts avatar
cn flag
You're using the dynamic config for openldap rather than slapd.conf and associated *.schema files. The server config is accessed via ldap and you can view it with `ldapsearch -Y EXTERNAL -d "cn=config" ldapi:///` it seems like the tutorial you were following just relies on the fact that the sudo schema was already incorporated into the ldap server.
Score:1
no flag

Is the 21, the line number of the .ldif file? Or some other error code

That's the return code for Invalid Syntax.

LDAP_INVALID_SYNTAX - 21 (0x15)
An attribute value specified on an LDAP client request does not have a valid syntax specified. 
For example, if an attribute type in the schema has an integer syntax, an integer value must be specified on an add or modify request.

Can you do the following to troubleshoot this further ?

  • Check whether sudoers schema files are present on the host. if it's not present, copy it from here
    # ls -l /etc/openldap/schema/sudo.schema
    
  • Check whether the sudo.schema (or equivalent file) is added to the relevant openldap server configuration file.
    # grep sudo.schema /etc/openldap/slapd.conf
    include         /etc/openldap/schema/sudo.schema
    
  • Check if sudoers OU exists!
    # ldapsearch -H ldap://localhost -x -LLL -s one -b "OU=SUDOers,dc=bbb,dc=local"
    
    If it's not, add it using ldapadd (1)
  • Check if there are syntax errors in the ldif file using
    # /usr/bin/cvtsudoers /tmp/sample.ldif -i ldif -f sudoers
    

You should probably go through the official sudo documentation link that contain explanations for some of the above thing.

in flag
I noticed I do not have a slapd.conf at all, but I think it is because that was deprecated and I am running a new version?
no flag
Since you are using centos, can you check the version of openldap that you are running now using something like this `rpm -qi openldap-servers` ?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.