I have an OpenLDAP server on Ubuntu 22.04 with users associated to a posix group "group1".
I configured sudo-ldap so that sudo rights are managed by the server and sssd to cache and query sudo rights.
The problem is that the rules do not work, when I try a sudo command with either user1 or user3, I always get "user not authorized to run sudo command on ..."
I configured sudoRoles on the ldap with this file sudo.ldif:
dn: cn=admins,ou=sudoers,dc=example,dc=fr
objectClass: sudoRole
objectClass: top
cn: admins
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: user1,user2
dn: cn=defaults,ou=SUDOers,dc=example,dc=fr
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_keep+=SSH_AUTH_SOCK
sudoOption: insults
sudoOption: pwfeedback
sudoCommand: /sbin/shutdown
sudoCommand: /bin/mount
sudoCommand: /bin/umount
sudoCommand: /usr/bin/make
sudoCommand: /usr/bin/dpkg
sudoCommand: /usr/bin/aptitude
sudoCommand: /usr/bin/apt-get
sudoCommand: /usr/bin/apt-key
sudoCommand: /usr/bin/apt
sudoCommand: /usr/bin/add-apt-repository
sudoCommand: /usr/bin/apt-add-repository
sudoCommand: /sbin/reboot
sudoCommand: /usr/bin/npm
sudoUser: %group1
This way, user1 and user2 have full admin rights, and for others, defaults rule applies only to users from the group1 unix group.
A typical user has these attributes (extracted from slapcat command:
dn: uid=user3,dc=example,dc=fr
cn: user3
uid: user3
uidNumber: 2266
loginShell: /bin/bash
homeDirectory: /home/user3
gidNumber: 2000
userPassword:: e2NyeXB0fUVKeHNLazM3SkxWRkk=
shadowLastChange: 19265
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
sn: user3
structuralObjectClass: inetOrgPerson
entryUUID: 68a16f0c-d51d-103c-98b5-a194ee75d300
creatorsName: cn=admin,dc=dsimb,dc=inserm,dc=fr
createTimestamp: 20220930150756Z
ou: Users
ou: SUDOers
o: group1
entryCSN: 20230110145746.062358Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=fr
modifyTimestamp: 20230110145746Z
I have a posix group group1 with gid 2000 on all machines associated to all users, and I also created a group1 ldap group:
dn: cn=group1,ou=Groups,dc=example,dc=fr
structuralObjectClass: posixGroup
entryUUID: c8816a74-c7c3-103c-9b5d-cf252e8ef64c
creatorsName: cn=admin,dc=example,dc=fr
createTimestamp: 20220913152337Z
objectClass: posixGroup
userPassword:
cn: group1
gidNumber: 2000
memberUid: user1
memberUid: user2
memberUid: user3
My sssd.conf file:
[sssd]
config_file_version = 2
domains = example.fr
services = nss,pam,sudo
[nss]
[pam]
[sudo]
[domain/example.fr]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://example.fr
cache_credentials = True
ldap_search_base = dc=example,dc=fr
override_homedir = /home/%u
enumerate = true
sudo_provider = ldap
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=fr
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
The nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files sss ldap
group: files sss ldap
shadow: files sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sss
sudoers: sss
the sudo-ldap.conf:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=fr
URI ldap://example.fr
sudoers_base ou=SUDOers,dc=example,dc=fr
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Did I miss something ?
