Bindu G wrote:
Hello All,
ldapsearch output as follows:
|# LDAPAdministrator1, Groups, cee, nsn dn:
cn=LDAPAdministrator1,ou=Groups,ou=cee,o=nsn member:
uid=bindu1,ou=People,ou=cee,o=nsn member:
uid=bindu2,ou=People,ou=cee,o=nsn objectClass: top objectClass:
groupofnames objectClass: posixGroup objectClass: nsMemberOf cn:
LDAPAdministrator1 gidNumber: 1520 # %LDAPAdministrator1, Groups, cee,
nsn dn: cn=%LDAPAdministrator1,ou=Groups,ou=cee,o=nsn cn:
%LDAPAdministrator1 objectClass: top objectClass: sudoRole sudoHost: ALL
sudoCommand: ALL sudoOption: !authenticate sudoRunAsUser: ALL sudoUser:
%LDAPAdministrator1 |
/etc/sssd/sssd.conf
|[nss] enum_cache_timeout = 30 filter_users = root filter_groups = root
reconnection_retries = 3 memcache_timeout = 3600 [pam]
offline_credentials_expiration = 3 offline_failed_login_attempts = 5
[sudo] debug_level = 9 [ssh] [domain/cee] debug_level = 9
full_name_format = %1$s min_id = 1500 max_id = 41999 enumerate = true
cache_credentials = true account_cache_expiration = 5 id_provider = ldap
auth_provider = ldap access_provider = ldap chpass_provider = ldap
ldap_uri = ldap://lcm-int-vip ldap_tls_reqcert = demand ldap_tls_cacert
= /var/lib/pki/endpoints/sssd/cacert/infrastructure-chain.pem
ldap_id_use_start_tls = true ldap_enumeration_refresh_timeout = 10
ldap_purge_cache_timeout = 60 entry_cache_timeout = 600
ldap_network_timeout = 2 ldap_user_search_base = ou=People,ou=cee,o=nsn
ldap_schema = rfc2307bis ldap_default_bind_dn =
uid=sssdadmin_infra,ou=ServiceUsers,ou=cee,o=nsn
ldap_default_authtok_type = password ldap_default_authtok =
IPgqe9ihhWUXWUeVo2bp3caiZ4HUzP4VdZI6KvKo ldap_user_object_class =
posixAccount ldap_user_name = uid ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber ldap_user_gecos = description
ldap_user_home_directory = homeDirectory ldap_user_shell = loginShell
ldap_ns_account_lock = nsAccountLock ldap_user_ssh_public_key =
sshPublicKey ldap_group_object_class = posixGroup ldap_group_name = cn
ldap_group_gid_number = gidNumber ldap_group_member = member
ldap_pwd_policy = none ldap_account_expire_policy = 389ds
ldap_access_order = filter, expire ldap_access_filter =
(|(memberOf=cn=group1,ou=groups,ou=cee,o=nsn)(memberOf=cn=LDAPAdministrator1,ou=Groups,ou=cee,o=nsn))
sudo_provider = ldap ldap_sudo_search_base =
cn=%LDAPAdministrator1,ou=Groups,ou=cee,o=nsn ||
when I try to run sudo su command it’s prompting for password and in the
logs I can see
(2024-01-19 15:32:59): [sudo] [cache_req_done] (0x0400):
CR #13: Finished: Success
(2024-01-19 15:32:59): [sudo] [sysdb_get_sudo_user_info] (0x0400):
Original name: bindu2@cee
(2024-01-19 15:32:59): [sudo] [sysdb_get_sudo_user_info] (0x0400): Cased
name: bindu2@cee
(2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching
sysdb with
[(&(objectClass=sudoRule)(dataExpireTimestamp<=1705674779)(|(name=defaults)(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee)(sudoUser=+/)))]
(2024-01-19 15:32:59): [sudo] [sudosrv_refresh_rules_send] (0x0400): No
expired rules were found for [bindu2@cee@cee].
(2024-01-19 15:32:59): [sudo] [sudosrv_fetch_rules] (0x0400): Retrieving
rules for [bindu2@cee@cee]
(2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching
sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee)))]
(2024-01-19 15:32:59): [sudo] [sudosrv_cached_rules_by_user] (0x0400):
Replacing sudoUser attribute with sudoUser: #1602
(2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching
sysdb with
[(&(objectClass=sudoRule)(sudoUser=+/)(!(|(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee))))]
(2024-01-19 15:32:59): [sudo] [sudosrv_fetch_rules] (0x0400): Returning
0 rules for [bindu2@cee@cee]
(2024-01-19 15:32:59): [sudo] [sudosrv_build_response] (0x2000): error: [0]
(2024-01-19 15:32:59): [sudo] [sudosrv_build_response] (0x2000):
rules_num: [0]
Any help is highly appreciated.
IMHO you're better off asking the SSSD users list. That is the software
doing the querying, etc.
It looks like you posted an incomplete sssd.conf though. I'd have
expected an [sssd] section which contained which services sssd was handling.
Your search base is also likely wrong. You don't want to point it at a
specific entry.
rob