Yup. Let it be known that troubleshooting my issue was causing my issue. [image: troubleshooting my troubleshooting.jpg]
Danke, Roland. Should we ever meet, I owe you a drink. -noid Crypto: https://keybase.io/noid None are more hopelessly enslaved than those who falsely believe they are free - Goethe -- On Tue, Feb 4, 2020 at 10:20 PM Roland Gruber <p...@rolandgruber.de> wrote: > Hi Dave, > > looks like sudo prints a lot of debug output. This will confuse LAM as the > result message is not found then. > So first step would be to disable the debug output. > > If it still does not work please check syslog for any messages from > lamdaemon. > > Also check LAM's own log messages. Here setting debug log level is fine: > > > https://www.ldap-account-manager.org/static/doc/manual/ch03.html#conf_logging > > Best regards > Roland > > Am 5. Februar 2020 01:12:13 MEZ schrieb Dave Null <noi...@gmail.com>: >> >> Folks, >> >> I'm new to LAM and have spent days trying to troubleshoot an issue. I'm >> out of options at this point so I'm posting here. >> >> My rootDN user is named 'admin'. The host running OpenLDAP and LAM is >> called "ns1". I am doing my testing all on the same box. For clarity, I am >> running Ubuntu 18.04. I have LAM set up to execute tests as the logged in >> user (user "admin"). When I run the lamdaemon test I get told: >> >> Lamdaemon server and path - OK >> Unix account - OK >> SSH connection - OK >> Execute lamdaemon - Fail >> >> However, when I start digging through the logs, it looks like the >> lamdaemon.pl script is being executed. So I am unsure where to go from >> here. I'm sure there's something dumb that I'm missing since I've been >> staring at the same things for days. I'm hoping a fresh set of eyes might >> see what's going on here. >> >> First, here's the setup of my admin user. Note the posixAccount and >> uidObject settings >> >> --admin entity-- >> # Entry 1: cn=admin,dc=mydomain,dc=com >> dn: cn=admin,dc=mydomain,dc=com >> cn: admin >> description: LDAP administrator >> gidnumber: 1005 >> homedirectory: /home/admin >> loginshell: /bin/bash >> objectclass: simpleSecurityObject >> objectclass: organizationalRole >> objectclass: posixAccount >> objectclass: uidObject >> uid: admin >> uidnumber: 1005 >> userpassword: {SSHA} >> >> If I run 'id' it shows the correct groups: >> -id-- >> admin@ns1:~$ id >> uid=1005(admin) gid=1005(admin) groups=1005(admin),4(adm) >> >> If I run sudo -l everything looks good >> --sudo -l -- >> admin@ns1:~$ sudo -l >> sudo: LDAP Config Summary >> sudo: =================== >> sudo: uri ldaps://ns1.mydomain.com ldap:// >> ns1.mydomain.com:636 >> sudo: ldap_version 3 >> sudo: sudoers_base ou=SUDOers,dc=mydomain,dc=com >> sudo: search_filter (objectClass=sudoRole) >> sudo: netgroup_base (NONE: will use nsswitch) >> sudo: netgroup_search_filter (objectClass=nisNetgroup) >> sudo: binddn (anonymous) >> sudo: bindpw (anonymous) >> sudo: ssl (no) >> sudo: tls_cacertfile /etc/ssl/certs/mydomain_ca_server.pem >> sudo: =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_cacertfile -> >> /etc/ssl/certs/mydomain_ca_server.pem >> sudo: ldap_set_option: tls_cacert -> /etc/ssl/certs/mydomain_ca_server.pem >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_sasl_bind_s() ok >> sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults)) >> sudo: found:cn=defaults,ou=SUDOers,dc=mydomain,dc=com >> sudo: ldap search >> '(&(objectClass=sudoRole)(|(sudoUser=admin)(sudoUser=%admin)(sudoUser=%#1005)(sudoUser=%adm)(sudoUser=%#4)(sudoUser=ALL)))' >> sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com' >> sudo: adding search result >> sudo: result now has 1 entries >> sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))' >> sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com' >> sudo: adding search result >> sudo: result now has 1 entries >> sudo: sorting remaining 1 entries >> sudo: perform search for pwflag 54 >> sudo: done with LDAP searches >> sudo: user_matches=true >> sudo: host_matches=true >> sudo: sudo_ldap_lookup(54)=0x882 >> sudo: ldap search for command list >> sudo: reusing previous result (user admin) with 1 entries >> Matching Defaults entries for admin on ns1: >> ignore_dot, !mail_no_user, log_host, logfile=/var/log/sudo.log, >> ignore_local_sudoers >> >> User admin may run the following commands on ns1: >> (ALL : ALL) NOPASSWD: /var/www/html/lam/lib/lamdaemon.pl * >> >> If I run the test command from the command line, it works and reports >> back as OK >> --Run from Command Line-- >> admin@ns1:~$ sudo /var/www/html/lam/lib/lamdaemon.pl >> +###x##y##x###test###x##y##x###basic >> sudo: LDAP Config Summary >> sudo: =================== >> sudo: uri ldaps://ns1.mydomain.com ldap:// >> ns1.mydomain.com:636 >> sudo: ldap_version 3 >> sudo: sudoers_base ou=SUDOers,dc=mydomain,dc=com >> sudo: search_filter (objectClass=sudoRole) >> sudo: netgroup_base (NONE: will use nsswitch) >> sudo: netgroup_search_filter (objectClass=nisNetgroup) >> sudo: binddn (anonymous) >> sudo: bindpw (anonymous) >> sudo: ssl (no) >> sudo: tls_cacertfile /etc/ssl/certs/mydomain_ca_server.pem >> sudo: =================== >> sudo: ldap_set_option: debug -> 0 >> sudo: ldap_set_option: tls_cacertfile -> >> /etc/ssl/certs/mydomain_ca_server.pem >> sudo: ldap_set_option: tls_cacert -> /etc/ssl/certs/mydomain_ca_server.pem >> sudo: ldap_set_option: ldap_version -> 3 >> sudo: ldap_sasl_bind_s() ok >> sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults)) >> sudo: found:cn=defaults,ou=SUDOers,dc=mydomain,dc=com >> sudo: ldap search >> '(&(objectClass=sudoRole)(|(sudoUser=admin)(sudoUser=%admin)(sudoUser=%#1005)(sudoUser=%adm)(sudoUser=%#4)(sudoUser=ALL)))' >> sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com' >> sudo: adding search result >> sudo: result now has 1 entries >> sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))' >> sudo: searching from base 'ou=SUDOers,dc=mydomain,dc=com' >> sudo: adding search result >> sudo: result now has 1 entries >> sudo: sorting remaining 1 entries >> sudo: searching LDAP for sudoers entries >> sudo: Command allowed >> sudo: LDAP entry: 0x55cc47d673c0 >> sudo: done with LDAP searches >> sudo: user_matches=true >> sudo: host_matches=true >> sudo: sudo_ldap_lookup(0)=0x02 >> sudo: removing reusable search result >> INFO,Basic test ok >> >> Now if I run the lamdaemon.pl test from the web interface I still get >> >> Lamdaemon server and path - OK >> Unix account - OK >> SSH connection - OK >> Execute lamdaemon - Fail >> >> However, looking into the logs it looks like the command did, in fact, >> execute: >> --auth.log-- >> Feb 4 20:58:40 ns1 sshd[19619]: Accepted password for admin from >> 127.0.0.1 port 50110 ssh2 >> Feb 4 20:58:40 ns1 sshd[19619]: pam_unix(sshd:session): session opened >> for user admin by (uid=0) >> Feb 4 20:58:40 ns1 systemd-logind[9542]: New session 1735 of user admin. >> Feb 4 20:58:40 ns1 systemd: pam_unix(systemd-user:session): session >> opened for user admin by (uid=0) >> Feb 4 20:58:40 ns1 sudo: admin : TTY=unknown ; PWD=/home/admin ; >> USER=root ; COMMAND=/var/www/html/lam/lib/lamdaemon.pl >> +###x##y##x###test###x##y##x###basic >> Feb 4 20:58:40 ns1 sudo: pam_unix(sudo:session): session opened for user >> root by (uid=0) >> Feb 4 20:58:40 ns1 sudo: pam_unix(sudo:session): session closed for user >> root >> Feb 4 20:58:40 ns1 sshd[19713]: Received disconnect from 127.0.0.1 port >> 50110:11: >> Feb 4 20:58:40 ns1 sshd[19713]: Disconnected from user admin 127.0.0.1 >> port 50110 >> Feb 4 20:58:40 ns1 sshd[19619]: pam_unix(sshd:session): session closed >> for user admin >> Feb 4 20:58:40 ns1 systemd-logind[9542]: Removed session 1735. >> Feb 4 20:58:40 ns1 systemd: pam_unix(systemd-user:session): session >> closed for user admin >> >> --sudo.log-- >> Feb 4 20:58:40 : admin : HOST=ns1 : TTY=unknown ; PWD=/home/admin ; >> USER=root ; >> COMMAND=/var/www/html/lam/lib/lamdaemon.pl >> +###x##y##x###test###x##y##x###basic >> >> So now I'm left wondering why if 'admin' can execute the lamdaemon.pl from >> the command line and it works, and it appears to work when I run it from >> the test page, WHY am I still getting told that Lamdaemon failed to execute? >> >> I'm losing my mind here >> >> -noid >> >> Crypto: https://keybase.io/noid >> None are more hopelessly enslaved than those who falsely believe they are >> free - Goethe >> -- >> >
_______________________________________________ Lam-public mailing list Lam-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lam-public
