#4118 sssd requires timed sudoers ldap entries to be specified up to the seconds
Closed: Fixed a year ago by pbrezina. Opened a year ago by pbrezina.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1767514

Description of problem:
LDAP specification says that minutes and seconds might be omitted and in that
case these are meant to be treated as zeros [1].

When sudo rule defines sudoNotAfter and/or sudoNotBefore options which are
defined upto hours, e.g. 2019103116Z, sssd does not match the rule and refuses
a user to run a command. If the options are padded by zeros, e.g.
20191031160000Z it works.

SSSD shoudl behave according to the LDAP specifications in this terms.

Version-Release number of selected component (if applicable):
sssd-2.2.0-19.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. have a rule with sudoNotBefore set to the past but specified upto hours,
e.g. 2019103116Z
2. try to run command allowed by the rule

Actual results:
sudoNotBefore=2019103015Z
$ sudo -l
Sorry, user userallowed may not run sudo on ci-vm-10-0-137-224.

sudoNotBefore=20191030150000Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL

Expected results:
sudoNotBefore=2019103015Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL

sudoNotBefore=20191030150000Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL


Additional info:
1. https://ldapwiki.com/wiki/GeneralizedTime

Metadata Update from @pbrezina:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1767514

a year ago

Metadata Update from @pbrezina:
- Issue assigned to ppolawsk

a year ago
  • master
    • 58a67cd - sysdb_sudo: Enable LDAP time format compatibility

Metadata Update from @pbrezina:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5079

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata