Hi thanks for your tips support,
I follow your tips and also find a RedHat document ->
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/...
In short words:
- follow the instructions
- enable logging (sudoers_debug 2)
-> got the following result: sudo rule for host group does not match because ldap
search for hosts instead of host groups :-(
ipa-lx-test-debian9% sudo -l
sudo: LDAP Config Summary
sudo: ===================
sudo: uri
ldaps://ipa-lx-test-01.example.world.com
sudo: uri
ldap://ipa-prod-01.example.world.com
sudo: ldap_version 3
sudo: sudoers_base ou=SUDOers,dc=example,dc=world,dc=com
sudo: search_filter (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=world,dc=com
sudo: bindpw MySecurePassword
sudo: bind_timelimit 5
sudo: timelimit 15
sudo: ssl (no)
sudo: tls_checkpeer (yes)
sudo: tls_cacertfile /etc/ipa/ca.crt
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_initialize(ld,
ldaps://ipa-lx-test-01.example.world.com
ldap://ipa-prod-01.example.world.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: no default options found in ou=SUDOers,dc=example,dc=world,dc=com
sudo: ldap search
'(&(objectClass=sudoRole)(|(sudoUser=webtrekk)(sudoUser=%webtrekk)(sudoUser=%#299801104)(sudoUser=%domänen-benutzer)(sudoUser=%mitarbeiter)(sudoUser=%wt-it-warp)(sudoUser=%wt-it)(sudoUser=%ad_users)(sudoUser=%wt-it-warp)(sudoUser=%#299800513)(sudoUser=%#299801109)(sudoUser=%#299801114)(sudoUser=%#299801116)(sudoUser=%#556800008)(sudoUser=%#556800012)(sudoUser=ALL)))'
sudo: searching from base 'ou=SUDOers,dc=example,dc=world,dc=com'
sudo: adding search result
sudo: ldap sudoHost '+centos_group' ... not
sudo: ldap sudoHost '+debian_group' ... not
sudo: ldap sudoHost '+ubuntu_group' ... not
sudo: result now has 0 entries
sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=)(sudoUser=+))'
sudo: searching from base 'ou=SUDOers,dc=example,dc=world,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: perform search for pwflag 54
sudo: done with LDAP searches
sudo: user_matches=true
sudo: host_matches=false
sudo: sudo_ldap_lookup(54)=0x84
[sudo] Password for user: