#2682 sudoOrder not honored as expected
Closed: Fixed None Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1232950

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
By definition of sudo-ldap if multiples entries match then the higher value of
sudoOrder should be chosen, instead in a default integration with ipa-client
the lowest value of sudoOrder is used, this conflicts with other servers
authenticating with the IPA server which relies only on ldap and that don't
support SSSD...

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
ipa sudorule-mod SUDORULE --order=X

To check all defined orders:
ipa sudorule-find|egrep 'name|order'


Actual results:
The wrong rule is honored.


Expected results:
The rule with the high sudoOrder is selected.


Additional info:
sudoOrder
   The sudoRole entries retrieved from the LDAP directory have no inherent
   order. The sudoOrder attribute is an integer (or floating point value for
   LDAP servers that support it) that is used to sort the matching entries.
   This allows LDAP-based sudoers entries to more closely mimic the
   behaviour of the sudoers file, where the of the entries influences the
   result. If multiple entries match, the entry with the highest sudoOrder
   attribute is chosen. This corresponds to the "last match" behavior of the
   sudoers file. If thesudoOrder attribute is not present, a value of 0 is
   assumed.

Here is the workaround:
- change nsswitch.conf on line sudoers from "sudoers: files sss" to "sudoers:
files ldap"
- create entries on /etc/sudo-ldap.conf file specifying with:
uri ldap://ipaserver01.subdomain.domain.com:389
ldap://ipaserver02.subdomain.domain.com:389
bind_timelimit 30
timelimit 30
sudoers_base ou=sudoers,dc=subdomain,dc=domain,dc=com
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=subdomain,dc=domain,dc=com
bindpw password

Once changing sudo to use ldap instead of sssd it start working with the
appropriated sudoOder as sudo is doing the sort instead of sssd (I guess that
sssd doesn't pass the sudoOrder to sudo instead it does the sort by it self).
The downside is that now we don't have offline cache, nor the direct
integration with ipa-client installation, and there is now a file potentially
exposing a password for accessing the ldap sudo schema defined on the IPA
server.

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => pbrezina
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13 beta

Required for downstream, but not for Beta

milestone: SSSD 1.13 beta => SSSD 1.13

This ticket has a downstream BZ link, bumping priority

priority: major => critical

Fields changed

patch: 0 => 1

resolution: => fixed
status: new => closed

Fields changed

milestone: SSSD 1.13.2 => SSSD 1.13.1

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.13.1

2 years ago

Login to comment on this ticket.

Metadata