On Tue, Mar 30, 2021 at 10:17:11AM +0000, BRUN Eric wrote: > In my file nsswitch.conf, I have : > > sudoers: files ldap > > Before update, that worked , first try to find account in "files" > and then, if not found, try with ldap accounts. > > After update, it like "files" are ignored and ldap is directly used. > I read logs files for this analyse.
This is not how sudo works by default. To quote the sudoers.ldap manpage: Sudo looks for a line beginning with sudoers: and uses this to determine the search order. Note that sudo does not stop searching after the first match and later matches take precedence over earlier ones. I suspect that before the upgrade the LDAP backend returned nothing, and after the upgrade it started to return one or more entries, but since those most likely do not have the "sudoOption: !authenticate" attribute sudo prompts for a password (this was the only way I could reproduce your observed behaviour). These lines in your sudo-ldap-debug.log seem to confirm this: ... sudo: adding search result sudo: result now has 1 entries ... Can you try if putting this sudoers: files [SUCCESS=return] ldap into /etc/nsswitch.conf fixes the issue? This way sudo stops processing if a successful match in /etc/sudoers is found first (this is not mentioned in the manpages, I learned of this by looking at the code). What do the LDAP entries for user nagios actually look like? I do must say though that using /etc/sudoers to specify exceptions to rules in an LDAP backend is an unorthodox way of using sudo with LDAP as it makes troubleshooting very complicated. If you want a command to be runnable only on a subset of hosts then using separate per-host entries in LDAP is the intended way. Otherwise someone looking just at the LDAP output has no way of knowing what other rules might be in effect or if the LDAP backend is overshadowed by a [SUCCESS=return]/[NOTFOUND=return]. Another issue: your sudo-ldap.conf specifies ldap: URIs whereas ldaps: is probably more applicable to ensure TLS. Otherwise an attacker who can manipulate packets in transit could use that to escalate his privileges. Regards, Dennis.
