[Freeipa-users] Oracle Linux 5.5 - Legacy Question

[Jakub Hrozek]

On Sat, Nov 21, 2015 at 02:21:52AM +0000, Jeffrey Stormshak wrote:
> Rob -
> Here’s the test configurations/data when I manipulate the BINDDN/BINDPW fields to get get both AUTH and SUDO to work in Linux 5.5.  I have three questions below that I would like to get your comments on or see what you may recommend on this.  I’m seriously perplexed on this as to why its working this way …  Please advise.  Thanks!
> 
> **************************************************************
> AUTH successful on login; SUDO fails with the message listed
> below !!
> **************************************************************
> [mjsmith at chi-infra-idm-client2 ~]$ sudo -l
> sudo: ldap_sasl_bind_s(): Server is unwilling to perform

Looks like the bind didn't finish successfully, can you look into
debugging sudo itself? The debugging changed a bit between releases, but
The sudo documentation would tell you..

> [sudo] password for mjsmith:
> Sorry, user mjsmith may not run sudo on chi-infra-idm-client2.
> *****************************************************
> 
> *****************************************************
> # grep -iv ‘#’ /etc/ldap.conf
> *****************************************************
> base dc=linuxcccis,dc=com
> uri ldap://chi-infra-idm-p1.linuxcccis.com/
> binddn uid=admin,cn=users,cn=compat,dc=linuxcccis,dc=com
> bindpw secret_pass
> timelimit 15
> bind_timelimit 5
> idle_timelimit 3600
> nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
> pam_password md5
> sudoers_base ou=SUDOers,dc=linuxcccis,dc=com
> 
> *************************************************
> User Account AUTH and SUDO works when
> commenting both the binddn and bindpw fields !!
> *************************************************
> vi /etc/ldap.conf … Comment these two fields …
> #binddn uid=admin,cn=users,cn=compat,dc=linuxcccis,dc=com
> #bindpw secret_pass
> 
> ************************************************
> This file unchanged during the above testing !!
> ************************************************
> /etc/sudo-ldap.conf:
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=linuxcccis,dc=com
> bindpw secret_pass
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
> bind_timelimit 5
> timelimit 15
> uri ldap://chi-infra-idm-p1.linuxcccis.com
> sudoers_base ou=SUDOers,dc=linuxcccis,dc=com
> 
> QUESTIONS:
> 1) What BINDN account needs to be specified to allow the BINDDN/BINDPW to work for SUDO?
> 2) Why does the AUTH work when setting values in the BINDDN/BINDPW, but SUDO then fails?
> 3) If I leave BINDDN/BINDPW blank, what security risks are being introduced by leaving it that way?

Anyone on the network can read sudo rules. I guess in theory, the
attacker might target accounts who are allowed to run sudo rules as a
gateway for getting elevated privileges on the machine..