Re: [SSSD-users] sssd_sudo receives 0 rules but ldap search returns 5, what is wrong?

Thu, 10 Jul 2014 03:21:13 -0700 

On 09/07/14 19:00, Rich Megginson wrote:
re: https://lists.fedorahosted.org/pipermail/sssd-users/2014-July/001891.html 
<snip>

OK, I take back all that I said over on the samba list, sssd does not
pull the sudo rules from AD

I have just spent two hours trying to get sssd to get the sudo rules
from AD on my netbook that I have just installed Linux Mint mate 17 on,
to no effect.
after upping sssd debug to 9, I found this search in sssd_example.com.log:
(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*)))) 

If I try to search with this via ldbsearch, it does not work, all I get
is this:

allocating request failed: Unable to parse search expression

If I remove one small part, it does work and displays the sudo roles

So, what does this do?

(sudoHost=*\**)
I'm not sure what this search is supposed to do. What is the intention of this? If it is to search for any sudoHost value with a literal asterisk "*" character in it, then the search filter syntax is wrong. According to http://tools.ietf.org/html/rfc4515, if you want to use a "*" in a search filter, it must be escaped like this: \2A, so the search filter would be (sudoHost=*\2A*) 



because I can only get the search to work without it

Rowland


_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
OK, I have done a bit more investigation and I am now of the the opinion that it is a permissions problem. 

If I do this ldapsearch on the client:
ldapsearch -h dc1 -Y GSSAPI -b ou=Sudoers,dc=example,dc=com '(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))' 

I get this response:

SASL/GSSAPI authentication started
SASL username: NETBOOK$@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=Sudoers,dc=example,dc=com> with scope subtree
# filter: (&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*)))) 
# requesting: ALL
#

# search result
search: 4
result: 0 Success

# numResponses: 1

But, if I do the ldapsearch this way:
ldapsearch -x -h dc1 -b ou=Sudoers,dc=example,dc=com -D cn=Administrator,cn=Users,dc=example,dc=com -w xxxxxxxx '(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))' 

I get this response:

# extended LDIF
#
# LDAPv3
# base <ou=Sudoers,dc=example,dc=com> with scope subtree
# filter: (&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*)))) 
# requesting: ALL
#

# defaults, SUDOers, example.com
dn: CN=defaults,OU=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOptions go here
instanceType: 4
whenCreated: 20140703100647.0Z
uSNCreated: 7410
name: defaults
objectGUID:: CFeHJYb9kUSpz1xbrqnrOA==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,dc=example,dc=com
sudoOption: env_reset
sudoOption: mail_badpass
sudoOption: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sb 
 in:/bin"
sudoHost: ALL
whenChanged: 20140710085142.0Z
uSNChanged: 8889
distinguishedName: CN=defaults,OU=SUDOers,dc=example,dc=com

# rowland, SUDOers, example.com
dn: CN=rowland,OU=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: rowland
instanceType: 4
whenCreated: 20140703100648.0Z
uSNCreated: 7412
name: rowland
objectGUID:: KSCH09FZ4kmM9WIV1qxAPg==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,dc=example,dc=com
sudoUser: rowland
sudoCommand: ALL
sudoHost: ALL
whenChanged: 20140710085009.0Z
uSNChanged: 8887
distinguishedName: CN=rowland,OU=SUDOers,dc=example,dc=com

# %sudo, SUDOers, example.com
dn: CN=%sudo,OU=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %sudo
instanceType: 4
whenCreated: 20140703100647.0Z
uSNCreated: 7411
name: %sudo
objectGUID:: 0k5Y1dUTjEG0M2UcUJww8g==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,dc=example,dc=com
sudoUser: %sudo
sudoCommand: ALL
sudoHost: ALL
whenChanged: 20140710085009.0Z
uSNChanged: 8888
distinguishedName: CN=%sudo,OU=SUDOers,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3


Any suggest to what I check next??

Rowland
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply via email to