Hello All,
ldapsearch output as follows:
# LDAPAdministrator1, Groups, cee, nsn dn: cn=LDAPAdministrator1,ou=Groups,ou=cee,o=nsn member: uid=bindu1,ou=People,ou=cee,o=nsn member: uid=bindu2,ou=People,ou=cee,o=nsn objectClass: top objectClass: groupofnames objectClass: posixGroup objectClass: nsMemberOf cn: LDAPAdministrator1 gidNumber: 1520
# %LDAPAdministrator1, Groups, cee, nsn dn: cn=%LDAPAdministrator1,ou=Groups,ou=cee,o=nsn cn: %LDAPAdministrator1 objectClass: top objectClass: sudoRole sudoHost: ALL sudoCommand: ALL sudoOption: !authenticate sudoRunAsUser: ALL sudoUser: %LDAPAdministrator1
/etc/sssd/sssd.conf
[nss] enum_cache_timeout = 30 filter_users = root filter_groups = root reconnection_retries = 3 memcache_timeout = 3600
[pam] offline_credentials_expiration = 3 offline_failed_login_attempts = 5
[sudo] debug_level = 9
[ssh]
[domain/cee] debug_level = 9 full_name_format = %1$s min_id = 1500 max_id = 41999 enumerate = true cache_credentials = true account_cache_expiration = 5 id_provider = ldap auth_provider = ldap access_provider = ldap chpass_provider = ldap ldap_uri = ldap://lcm-int-vip ldap_tls_reqcert = demand ldap_tls_cacert = /var/lib/pki/endpoints/sssd/cacert/infrastructure-chain.pem ldap_id_use_start_tls = true ldap_enumeration_refresh_timeout = 10 ldap_purge_cache_timeout = 60 entry_cache_timeout = 600 ldap_network_timeout = 2 ldap_user_search_base = ou=People,ou=cee,o=nsn ldap_schema = rfc2307bis ldap_default_bind_dn = uid=sssdadmin_infra,ou=ServiceUsers,ou=cee,o=nsn ldap_default_authtok_type = password ldap_default_authtok = IPgqe9ihhWUXWUeVo2bp3caiZ4HUzP4VdZI6KvKo ldap_user_object_class = posixAccount ldap_user_name = uid ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_gecos = description ldap_user_home_directory = homeDirectory ldap_user_shell = loginShell ldap_ns_account_lock = nsAccountLock ldap_user_ssh_public_key = sshPublicKey ldap_group_object_class = posixGroup ldap_group_name = cn ldap_group_gid_number = gidNumber ldap_group_member = member ldap_pwd_policy = none ldap_account_expire_policy = 389ds ldap_access_order = filter, expireldap_access_filter = (|(memberOf=cn=group1,ou=groups,ou=cee,o=nsn)(memberOf=cn=LDAPAdministrator1,ou=Groups,ou=cee,o=nsn)) sudo_provider = ldap ldap_sudo_search_base = cn=%LDAPAdministrator1,ou=Groups,ou=cee,o=nsn
when I try to run sudo su command it’s prompting for password and in the logs I can see
(2024-01-19 15:32:59): [sudo] [cache_req_done] (0x0400): CR #13: Finished: Success (2024-01-19 15:32:59): [sudo] [sysdb_get_sudo_user_info] (0x0400): Original name: bindu2@cee (2024-01-19 15:32:59): [sudo] [sysdb_get_sudo_user_info] (0x0400): Cased name: bindu2@cee (2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1705674779)(|(name=defaults)(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee)(sudoUser=+
*)))](2024-01-19 15:32:59): [sudo] [sudosrv_refresh_rules_send] (0x0400): No expired rules were found for [bindu2@cee@cee].(2024-01-19 15:32:59): [sudo] [sudosrv_fetch_rules] (0x0400): Retrieving rules for [bindu2@cee@cee](2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee)))](2024-01-19 15:32:59): [sudo] [sudosrv_cached_rules_by_user] (0x0400): Replacing sudoUser attribute with sudoUser: #1602(2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee))))] (2024-01-19 15:32:59): [sudo] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [bindu2@cee@cee] (2024-01-19 15:32:59): [sudo] [sudosrv_build_response] (0x2000): error: [0] (2024-01-19 15:32:59): [sudo] [sudosrv_build_response] (0x2000): rules_num: [0]
Any help is highly appreciated. Thanks, Bindu