https://bugzilla.redhat.com/show_bug.cgi?id=720711
1. # ipa-nis-manage enable [root@qe-blade-04 ~]# hostname qe-blade-04.testrelm [root@qe-blade-04 ~]# nisdomainname testrelm 2. [root@qe-blade-04 ~]# ipa user-add user1 First name: user Last name: 1 ------------------ Added user "user1" ------------------ User login: user1 First name: user Last name: 1 Full name: user 1 Display name: user 1 Initials: u1 Home directory: /home/user1 GECOS field: user 1 Login shell: /bin/sh Kerberos principal: user1@TESTRELM UID: 742600006 GID: 742600006 [root@qe-blade-04 ~]# ipa passwd user1 Password: Enter Password again to verify: ------------------------------------- Changed password for "user1@TESTRELM" ------------------------------------- 3. [root@qe-blade-04 ~]# ipa sudorule-add Rule name: testrule1 --------------------------- Added sudo rule "testrule1" --------------------------- Rule name: testrule1 Enabled: TRUE [root@qe-blade-04 ~]# ipa sudorule-add-user Rule name: testrule1 [member user]: user1 [member group]: user1 Rule name: testrule1 Enabled: TRUE Users: user1 Groups: user1 ------------------------- Number of members added 2 ------------------------- [root@qe-blade-04 ~]# 4. [root@qe-blade-04 ~]# ipa sudorule-find testrule1 --all --raw ------------------- 1 sudo rule matched ------------------- dn: ipauniqueid=85dc8ce2-ac95-11e0-9702-00215e202e2e,cn=sudorules,cn=sudo,dc=testrelm cn: testrule1 ipaenabledflag: TRUE memberuser: cn=user1,cn=groups,cn=accounts,dc=testrelm memberuser: uid=user1,cn=users,cn=accounts,dc=testrelm ipauniqueid: 85dc8ce2-ac95-11e0-9702-00215e202e2e objectclass: ipaassociation objectclass: ipasudorule ---------------------------- Number of entries returned 1 ---------------------------- [root@qe-blade-04 ~]# 5. [root@qe-blade-04 ~]# cat /etc/nss_ldap.conf bind_policy soft sudoers_base ou=SUDOers,dc=testrelm binddn uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm bindpw bind123 ssl no tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 sudoers_debug 5 BASE dc=testrelm TLS_CACERTDIR /etc/ipa uri ldap://qe-blade-04.testrelm 6. [root@qe-blade-04 ~]# ssh -l user1 localhost user1@localhost's password: Last login: Tue Jul 12 10:47:52 2011 from localhost -sh-4.1$ sudo -l Actual results: -sh-4.1$ sudo -l LDAP Config Summary =================== uri ldap://qe-blade-04.testrelm ldap_version 3 sudoers_base ou=SUDOers,dc=testrelm binddn uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm bindpw bind123 bind_timelimit 5000 timelimit 15 ssl no tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt tls_cacertdir /etc/ipa =================== sudo: ldap_initialize(ld, ldap://qe-blade-04.testrelm) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacertdir -> /etc/ipa sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=testrelm sudo: user_matches=0 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< sudo: host_matches=0 sudo: sudo_ldap_lookup(52)=0xe0 [sudo] password for user1: user1 is not in the sudoers file. This incident will be reported. -sh-4.1$ -sh-4.1$ sudo -l LDAP Config Summary =================== uri ldap://bumblebee.lab.eng.pnq.redhat.com ldap_version 3 sudoers_base ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com bindpw bind123 bind_timelimit 5000 timelimit 15 ssl no tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt tls_cacertdir /etc/ipa =================== sudo: ldap_initialize(ld, ldap://bumblebee.lab.eng.pnq.redhat.com) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacertdir -> /etc/ipa sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_sasl_bind_s() ok sudo: no default options found in ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com sudo: user_matches=1 <<<<<<<<<<<<<<<<<<<<<<<<< sudo: host_matches=0 sudo: sudo_ldap_lookup(52)=0xc0 Note: In this case ipa server was installed with --setup-dns option. ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a $ADMINPW -U I installed ipa-server without this option and sudo seems to work as expected.
attachment freeipa-jraquino-0035-remove-escapes-from-the-cvs-parser-in-ldapupdate.patch
Bug introduced with Changeset 8e086fd resulting in ldapupdate having incorrect handling of uldif files. Particularly the schema_compat.uldif.
master: 9869b09[[BR]] ipa-2-0: 6404a98
Metadata Update from @rcritten: - Issue assigned to jraquino - Issue set to the milestone: FreeIPA 2.1 - 2011/07
Login to comment on this ticket.