Thanks for that info! We however only entered the negated host for a test after it did not work and we checked out the manual and saw that negated hosts were added in version 1.8.18. It also did not match anything without any negated host in the list.
Regards, Stefan -----Ursprüngliche Nachricht----- Von: Todd C. Miller [mailto:todd.mil...@courtesan.com] Gesendet: Dienstag, 8. November 2016 22:37 An: Stefan Maass <stefan.ma...@syniverse.com> Cc: Dagobert Michelsen <d...@opencsw.org>; Sreejith Kuzhivayalil <sreejith.kuzhivaya...@syniverse.com>; sudo-us...@sudo.ws; users@lists.opencsw.org Betreff: Re: [sudo-users] issue with sudo_ldap There does appear to be a bug in the host matching where any hosts found after a negated host would fail to match. I'm not sure that explains what you are seeing though. I've committed a fix: https://www.sudo.ws/repos/sudo/rev/40cbd5790106 Below is the same diff based on 1.8.18p1 rather than trunk. - todd diff -r abda86e3b777 plugins/sudoers/ldap.c --- a/plugins/sudoers/ldap.c Mon Oct 10 09:10:34 2016 -0600 +++ b/plugins/sudoers/ldap.c Tue Nov 08 14:13:42 2016 -0700 @@ -721,20 +721,21 @@ { struct berval **bv, **p; char *val; - bool ret = false; - bool foundbang = false; + int matched = UNSPEC; debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP) if (!entry) - debug_return_bool(ret); + debug_return_bool(false); /* get the values from the entry */ bv = ldap_get_values_len(ld, entry, "sudoHost"); if (bv == NULL) - debug_return_bool(ret); + debug_return_bool(false); /* walk through values */ - for (p = bv; *p != NULL && !foundbang; p++) { + for (p = bv; *p != NULL && matched != false; p++) { + bool foundbang = false; + val = (*p)->bv_val; if (*val == '!') { @@ -746,14 +747,17 @@ if (strcmp(val, "ALL") == 0 || addr_matches(val) || netgr_matches(val, user_runhost, user_srunhost, def_netgroup_tuple ? pw->pw_name : NULL) || - hostname_matches(user_srunhost, user_runhost, val)) - ret = !foundbang; - DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); + hostname_matches(user_srunhost, user_runhost, val)) { + + matched = foundbang ? false : true; + } + DPRINTF2("ldap sudoHost '%s' ... %s", + val, matched == true ? "MATCH!" : "not"); } ldap_value_free_len(bv); /* cleanup */ - debug_return_bool(ret); + debug_return_bool(matched == true); } static int diff -r abda86e3b777 plugins/sudoers/sssd.c --- a/plugins/sudoers/sssd.c Mon Oct 10 09:10:34 2016 -0600 +++ b/plugins/sudoers/sssd.c Tue Nov 08 14:13:42 2016 -0700 @@ -741,13 +741,12 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) { char **val_array, *val; - bool ret = false; - bool foundbang = false; + int matched = UNSPEC; int i; debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD); if (rule == NULL) - debug_return_bool(ret); + debug_return_bool(false); /* get the values from the rule */ switch (handle->fn_get_values(rule, "sudoHost", &val_array)) { @@ -758,11 +757,13 @@ debug_return_bool(false); default: sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); - debug_return_bool(ret); + debug_return_bool(false); } /* walk through values */ - for (i = 0; val_array[i] != NULL && !foundbang; ++i) { + for (i = 0; val_array[i] != NULL && matched != false; ++i) { + bool foundbang = false; + val = val_array[i]; sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); @@ -775,16 +776,18 @@ if (strcmp(val, "ALL") == 0 || addr_matches(val) || netgr_matches(val, handle->host, handle->shost, def_netgroup_tuple ? handle->pw->pw_name : NULL) || - hostname_matches(handle->shost, handle->host, val)) - ret = !foundbang; + hostname_matches(handle->shost, handle->host, val)) { - sudo_debug_printf(SUDO_DEBUG_INFO, - "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); + matched = foundbang ? false : true; + } + + sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s", + val, matched == true ? "MATCH!" : "not"); } handle->fn_free_values(val_array); - debug_return_bool(ret); + debug_return_bool(matched == true); } /*