You are not logged in.

#1 2020-12-18 16:05:51

kevdog
Member
Registered: 2013-01-26
Posts: 102

Cant login with sudo if authenticating with ldap/PAM

I'm attempting to use an openldap implementation to authenticate for sudo.
Many of these instructions (which aren't exactly correct -- which I intend to edit and fix once I have a working setup) are taken from here:
https://wiki.archlinux.org/index.php/LD … ble_sudo_2

I'm working with an openldap implementation with
a base domain, ou=groups (containing posixGroup), ou=SUDOers (containing sudoRoles) and ou=users (containing posixAccount)

I'm additionally using a nsswitch/nslcd/pam implementation.

Please note that for my nsswitch.conf file if I use a sudoers: ldap files, the process will complete, however I'm only trying to use ldap for sudoers authentication:

My nsswitch.conf file is :

passwd: files ldap mymachines systemd
group: files ldap mymachines systemd
shadow: files ldap
sudoers: ldap

publickey: files

hosts: files mymachines myhostname mdns_minimal resolve [!UNAVAIL=return] dns wins
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

My nslcd.conf file is the following:

uid nslcd
gid nslcd
uri ldap://openldap.domain.com:389/
base dc=ldap,dc=domain,dc=com
binddn cn=admin,dc=ldap,dc=domain,dc=com
bindpw ***PASS**
rootpwmoddn cn=admin,dc=ldap,dc=domain,dc=com
scope sub
base   group  ou=groups,dc=ldap,dc=domain,dc=com
base   passwd ou=users,dc=ldap,dc=domain,dc=com
base   shadow ou=users,dc=ldap,dc=domain,dc=com
bind_timelimit 30
timelimit 30
idle_timelimit 3600
tls_reqcert allow
tls_cacertfile /etc/ssl/self-signed-certs/ldap.domain.com/client/ca.pem
tls_cert /etc/ssl/self-signed-certs/ldap.domain.com/client/cert.pem
tls_key /etc/ssl/self-signed-certs/ldap.domain.com/client/key.pem
filter  passwd (objectClass=posixAccount)
filter  passwd uid		uid
filter  passwd userPassword	userPassword
filter  passwd homeDirectory	homeDirectory
filter  passwd gidNumber	gidNumber
filter  shadow (objectClass=posixAccount)
map	shadow userPassword	userPassword
filter  group (objectClass=posixGroup)
map    group  member           memberUid
map    group  cn               groupName
map    group  gidNumber        gid

My /etc/openldap/ldap.conf is as follows:

BASE	dc=ldap,dc=domain,dc=com
URI	ldap://openldap.domain.com/
PORT	389
LDAP_VERSION  3
tls_cacertfile /etc/ssl/self-signed-certs/ldap.domain.com/client/ca.pem
tls_reqcert demand
SUDOERS_BASE ou=SUDOers,dc=ldap,dc=domain,dc=com
SUDOERS_TIMED no
SUDOERS_DEBUG 0
SUDOERS_SEARCH_FILTER	($(objectClass=sudoRole)(sudoUser=*))
TIMELIMIT 10
TIMEOUT 10
BIND_TIMELIMIT 10

In terms of running a query for the sudoUsers:

# ldapsearch -D "cn=admin,dc=ldap,dc=domain,dc=com" -w **PASS** -b 'ou=SUDOers,dc=ldap,dc=domain,dc=com' -H ldap://openldap.domain.com

# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,dc=ldap,dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# SUDOers, ldap.domain.com
dn: ou=SUDOers,dc=ldap,dc=domain,dc=com
ou: SUDOers
associatedDomain: openldap.domain.com
objectClass: organizationalUnit
objectClass: top
objectClass: domainRelatedObject

# %sudo, SUDOers, ldap.domain.com
dn: cn=%sudo,ou=SUDOers,dc=ldap,dc=domain,dc=com
cn: %sudo
objectClass: sudoRole
objectClass: top
sudoCommand: ALL
sudoHost: ALL
sudoUser: %sudo

# kevdog, SUDOers, ldap.domain.com
dn: cn=kevdog,ou=SUDOers,dc=ldap,dc=domain,dc=com
cn: kevdog
objectClass: sudoRole
objectClass: top
sudoCommand: ALL
sudoHost: ALL
sudoUser: kevdog

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

In terms of pam stuff -- a little over the map but I've made modifications to system-auth and sudo

# cat /etc/pam.d/system-auth
#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth	   sufficient		       pam_ldap.so          try_first_pass
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account	   sufficient		       pam_ldap.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   sufficient		       pam_ldap.so          try_first_pass
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_ldap.so
session    optional                    pam_permit.so
# cat /etc/pam.d/sudo

#%PAM-1.0
auth       sufficient    pam_ldap.so
auth       required      pam_unix.so try_first_pass
auth       required      pam_nologin.so
auth		include		system-auth
account		include		system-auth
session		include		system-auth

I'll try to login as sudo user but get denied:

sudo su
[sudo] password for kevdog:
kevdog is not allowed to run sudo on arch-TM.  This incident will be reported.

I setup logging for sudo and all I see is this: (/var/log/sudo_debug)

Dec 18 00:40:46 sudo[604742] <- sudo_new_key_val_v1 @ ./key_val.c:55 := network_addrs=10.0.1.107/255.255.255.0 fe80::c781:fe7a:e66b:608/ffff:ffff:ffff:ffff::
Dec 18 00:40:46 sudo[604742] settings: plugin_dir=/usr/lib/sudo/
Dec 18 00:40:46 sudo[604742] -> sudo_new_key_val_v1 @ ./key_val.c:43
Dec 18 00:40:46 sudo[604742] <- sudo_new_key_val_v1 @ ./key_val.c:55 := plugin_dir=/usr/lib/sudo/
Dec 18 00:40:46 sudo[604742] <- format_plugin_settings @ ./sudo.c:1052 := 0x55c01f14e3d0
Dec 18 00:40:46 sudo[604742] <- policy_open @ ./sudo.c:1104
Dec 18 00:40:46 sudo[604742] -> policy_check @ ./sudo.c:1160
Dec 18 00:40:46 sudo[604742] -> tgetpass @ ./tgetpass.c:122
Dec 18 00:40:46 sudo[604742] -> sudo_term_noecho_v1 @ ./term.c:163
Dec 18 00:40:46 sudo[604742] <- sudo_term_noecho_v1 @ ./term.c:174 := true
Dec 18 00:40:46 sudo[604742] -> getln @ ./tgetpass.c:375
Dec 18 00:40:49 sudo[604742] <- getln @ ./tgetpass.c:442 := ******
Dec 18 00:40:49 sudo[604742] -> tgetpass_display_error @ ./tgetpass.c:89
Dec 18 00:40:49 sudo[604742] <- tgetpass_display_error @ ./tgetpass.c:104
Dec 18 00:40:49 sudo[604742] -> sudo_term_restore_v1 @ ./term.c:144
Dec 18 00:40:49 sudo[604742] <- sudo_term_restore_v1 @ ./term.c:152 := true
Dec 18 00:40:49 sudo[604742] <- tgetpass @ ./tgetpass.c:282 := ******
Dec 18 00:40:49 sudo[604742] policy plugin returns -1 (authentication failure)
Dec 18 00:40:49 sudo[604742] -> audit_error @ ./sudo.c:1703
Dec 18 00:40:49 sudo[604742] <- audit_error @ ./sudo.c:1721
Dec 18 00:40:49 sudo[604742] -> policy_close @ ./sudo.c:1110
Dec 18 00:40:49 sudo[604742] sudoers_policy: calling policy close with wait status 0
Dec 18 00:40:49 sudo[604742] <- policy_close @ ./sudo.c:1132
Dec 18 00:40:49 sudo[604742] -> audit_close @ ./sudo.c:1594
Dec 18 00:40:49 sudo[604742] <- audit_close @ ./sudo.c:1604

On the openldap end I don't see a lot in the logs:

5fdcd2b2 conn=2715 fd=13 ACCEPT from IP=10.0.1.107:37548 (IP=0.0.0.0:389)
5fdcd2b2 conn=2715 op=0 BIND dn="cn=admin,dc=ldap,dc=domain,dc=com" method=128
5fdcd2b2 conn=2715 op=0 BIND dn="cn=admin,dc=ldap,dc=domain,dc=com" mech=SIMPLE ssf=0
5fdcd2b2 conn=2715 op=0 RESULT tag=97 err=0 text=
5fdcd2b2 conn=2715 op=1 UNBIND
5fdcd2b2 conn=2715 fd=13 closed

Is there something else I should be trying???

Last edited by kevdog (2020-12-18 16:06:31)

Offline

#2 2020-12-18 16:42:23

kevdog
Member
Registered: 2013-01-26
Posts: 102

Re: Cant login with sudo if authenticating with ldap/PAM

Ok I made some adjustments but still not getting want I need --- I had screwed up my configuration with /etc/openldap/ldap.conf.  I made a replacement for the filter:

#SUDOERS_SEARCH_FILTER (&(objectClass=sudoRole)(sudoUser=*))
SUDOERS_SEARCH_FILTER objectClass=sudoRole

Now at the openldap logs I get the following:

5fdcd802 conn=2741 fd=13 ACCEPT from IP=10.0.1.107:37600 (IP=0.0.0.0:389)
5fdcd802 conn=2741 op=0 BIND dn="" method=128
5fdcd802 conn=2741 op=0 RESULT tag=97 err=0 text=
5fdcd802 conn=2741 op=1 SRCH base="ou=SUDOers,dc=ldap,dc=domain,dc=com" scope=2 deref=0 filter="(&(objectClass=sudoRole)(cn=defaults))"
5fdcd802 conn=2741 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
5fdcd802 conn=2742 fd=14 ACCEPT from IP=10.0.1.107:37602 (IP=0.0.0.0:389)
5fdcd802 conn=2742 op=0 BIND dn="cn=admin,dc=ldap,dc=domain,dc=com" method=128
5fdcd802 conn=2742 op=0 BIND dn="cn=admin,dc=ldap,dc=domain,dc=com" mech=SIMPLE ssf=0
5fdcd802 conn=2742 op=0 RESULT tag=97 err=0 text=
5fdcd802 conn=2742 op=1 UNBIND
5fdcd802 conn=2742 fd=14 closed
5fdcd802 conn=2741 op=2 SRCH base="ou=SUDOers,dc=ldap,dc=domain,dc=com" scope=2 deref=0 filter="(&(objectClass=sudoRole)(|(sudoUser=kevdog)(sudoUser=#1000)(sudoUser=%kevdog)(sudoUser=%#1000)(sudoUser=%wheel)(sudoUser=%sudo)(sudoUser=%timemachine)(sudoUser=%#998)(sudoUser=%#1001)(sudoUser=%#1002)(sudoUser=ALL)))"
5fdcd802 conn=2741 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
5fdcd802 conn=2741 op=3 SRCH base="ou=SUDOers,dc=ldap,dc=domain,dc=com" scope=2 deref=0 filter="(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))"
5fdcd802 conn=2741 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
5fdcd805 conn=2741 fd=13 closed (connection lost)

The funny part is is that if I walk through these searches by hand:

ldapsearch -D "cn=admin,dc=ldap,dc=domain,dc=com" -w **PASS** -b 'ou=SUDOers,dc=ldap,dc=domain,dc=com' -H ldap://openldap.domain.com "(&(objectClass=sudoRole)(cn=defaults))" 
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,dc=ldap,dc=domain,dc=com> with scope subtree
# filter: (&(objectClass=sudoRole)(cn=defaults))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

The above makes sense since I don't have any defaults defined

Next search:

#ldapsearch -D "cn=admin,dc=ldap,dc=domain,dc=com" -w **PASS** -b 'ou=SUDOers,dc=ldap,dc=domain,dc=com' -H ldap://openldap.domain.com "(&(objectClass=sudoRole)(|(sudoUser=kevdog)(sudoUser=#1000)(sudoUser=%kevdog)(sudoUser=%#1000)(sudoUser=%wheel)(sudoUser=%sudo)(sudoUser=%timemachine)(sudoUser=%#998)(sudoUser=%#1001)(sudoUser=%#1002)(sudoUser=ALL)))"
"
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,dc=ldap,dc=domain,dc=com> with scope subtree
# filter: (&(objectClass=sudoRole)(|(sudoUser=kevdog)(sudoUser=#1000)(sudoUser=%kevdog)(sudoUser=%#1000)(sudoUser=%wheel)(sudoUser=%sudo)(sudoUser=%timemachine)(sudoUser=%#998)(sudoUser=%#1001)(sudoUser=%#1002)(sudoUser=ALL)))
# requesting: ALL
#

# kevdog, SUDOers, ldap.domain.com
dn: cn=kevdog,ou=SUDOers,dc=ldap,dc=domain,dc=com
cn: kevdog
objectClass: sudoRole
objectClass: top
sudoCommand: ALL
sudoHost: ALL
sudoUser: kevdog

# %sudo, SUDOers, ldap.domain.com
dn: cn=%sudo,ou=SUDOers,dc=ldap,dc=domain,dc=com
cn: %sudo
objectClass: sudoRole
objectClass: top
sudoCommand: ALL
sudoHost: ALL
sudoUser: %sudo

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

And finally:

ldapsearch -D "cn=admin,dc=ldap,dc=domain,dc=com" -w **PASS* -b 'ou=SUDOers,dc=ldap,dc=domain,dc=com' -H ldap://openldap.domain.com "(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))" 
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,dc=ldap,dc=domain,dc=com> with scope subtree
# filter: (&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Which returns nothing...

Confused why things are not working -- I'm rather stumped!!!

Offline

Board footer

Powered by FluxBB