Bindu G wrote:
Hello All,
ldapsearch output as follows:
|# LDAPAdministrator1, Groups, cee, nsn dn: cn=LDAPAdministrator1,ou=Groups,ou=cee,o=nsn member: uid=bindu1,ou=People,ou=cee,o=nsn member: uid=bindu2,ou=People,ou=cee,o=nsn objectClass: top objectClass: groupofnames objectClass: posixGroup objectClass: nsMemberOf cn: LDAPAdministrator1 gidNumber: 1520 # %LDAPAdministrator1, Groups, cee, nsn dn: cn=%LDAPAdministrator1,ou=Groups,ou=cee,o=nsn cn: %LDAPAdministrator1 objectClass: top objectClass: sudoRole sudoHost: ALL sudoCommand: ALL sudoOption: !authenticate sudoRunAsUser: ALL sudoUser: %LDAPAdministrator1 |
/etc/sssd/sssd.conf
|[nss] enum_cache_timeout = 30 filter_users = root filter_groups = root reconnection_retries = 3 memcache_timeout = 3600 [pam] offline_credentials_expiration = 3 offline_failed_login_attempts = 5 [sudo] debug_level = 9 [ssh] [domain/cee] debug_level = 9 full_name_format = %1$s min_id = 1500 max_id = 41999 enumerate = true cache_credentials = true account_cache_expiration = 5 id_provider = ldap auth_provider = ldap access_provider = ldap chpass_provider = ldap ldap_uri = ldap://lcm-int-vip ldap_tls_reqcert = demand ldap_tls_cacert = /var/lib/pki/endpoints/sssd/cacert/infrastructure-chain.pem ldap_id_use_start_tls = true ldap_enumeration_refresh_timeout = 10 ldap_purge_cache_timeout = 60 entry_cache_timeout = 600 ldap_network_timeout = 2 ldap_user_search_base = ou=People,ou=cee,o=nsn ldap_schema = rfc2307bis ldap_default_bind_dn = uid=sssdadmin_infra,ou=ServiceUsers,ou=cee,o=nsn ldap_default_authtok_type = password ldap_default_authtok = IPgqe9ihhWUXWUeVo2bp3caiZ4HUzP4VdZI6KvKo ldap_user_object_class = posixAccount ldap_user_name = uid ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_gecos = description ldap_user_home_directory = homeDirectory ldap_user_shell = loginShell ldap_ns_account_lock = nsAccountLock ldap_user_ssh_public_key = sshPublicKey ldap_group_object_class = posixGroup ldap_group_name = cn ldap_group_gid_number = gidNumber ldap_group_member = member ldap_pwd_policy = none ldap_account_expire_policy = 389ds ldap_access_order = filter, expire ldap_access_filter = (|(memberOf=cn=group1,ou=groups,ou=cee,o=nsn)(memberOf=cn=LDAPAdministrator1,ou=Groups,ou=cee,o=nsn)) sudo_provider = ldap ldap_sudo_search_base = cn=%LDAPAdministrator1,ou=Groups,ou=cee,o=nsn ||
when I try to run sudo su command it’s prompting for password and in the logs I can see
(2024-01-19 15:32:59): [sudo] [cache_req_done] (0x0400): CR #13: Finished: Success (2024-01-19 15:32:59): [sudo] [sysdb_get_sudo_user_info] (0x0400): Original name: bindu2@cee (2024-01-19 15:32:59): [sudo] [sysdb_get_sudo_user_info] (0x0400): Cased name: bindu2@cee (2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1705674779)(|(name=defaults)(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee)(sudoUser=+/)))] (2024-01-19 15:32:59): [sudo] [sudosrv_refresh_rules_send] (0x0400): No expired rules were found for [bindu2@cee@cee]. (2024-01-19 15:32:59): [sudo] [sudosrv_fetch_rules] (0x0400): Retrieving rules for [bindu2@cee@cee] (2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee)))] (2024-01-19 15:32:59): [sudo] [sudosrv_cached_rules_by_user] (0x0400): Replacing sudoUser attribute with sudoUser: #1602 (2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(sudoUser=+/)(!(|(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee))))] (2024-01-19 15:32:59): [sudo] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [bindu2@cee@cee] (2024-01-19 15:32:59): [sudo] [sudosrv_build_response] (0x2000): error: [0] (2024-01-19 15:32:59): [sudo] [sudosrv_build_response] (0x2000): rules_num: [0]
Any help is highly appreciated.
IMHO you're better off asking the SSSD users list. That is the software doing the querying, etc.
It looks like you posted an incomplete sssd.conf though. I'd have expected an [sssd] section which contained which services sssd was handling.
Your search base is also likely wrong. You don't want to point it at a specific entry.
rob