[Freeipa-users] Oracle Linux 5.5 - Legacy Question
Rob Crittenden
rcritten at redhat.com
Tue Nov 24 02:32:52 UTC 2015
Jeffrey Stormshak wrote:
> Jakub/Rob -
> Thanks for the feedback. I was finally able to ditch the ‘binddn’ and
> was able to get SSL working upon upgrading the OpenSSL from the 5.5 base
> to the one supplied in 5.7 base. The SSL is fully authenticating and
> with sudo access. However, I’m riddled by the following item below.
> I’m hoping that someone/somewhere encountered this issue and was able
> to resolve it using this legacy 5.5. See details provided below. All
> thoughts/suggestions are truly appreciated !!
>
> *
> *
>
> $ id -a
>
> uid=1403200001(pmoss) gid=7000(sysadmin) groups=7000(sysadmin)
>
>
>
> $ passwd
>
> Changing password for user pmoss.
>
> Enter login(LDAP) password:
>
> New UNIX password:
>
> Retype new UNIX password:
>
>
>
> LDAP password information update failed: Insufficient access
>
> Insufficient 'write' privilege to the 'userPassword' attribute of entry
> 'uid=pmoss,cn=users,cn=compat,dc=linuxcccis,dc=com'.
>
>
>
> passwd: Permission denied
>
> *
> *
>
> # ipa user-show pmoss --all --rights | grep -i userpass ->
> attributelevelrights: {u'userpassword': u'swo’, …
>
>
> pmoss shows *u'userpassword': u'swo'*
>
> ‘swo’ translates to ‘search,write,delete’
>
>
> Why wouldn’t the above be enough rights to be able to change ‘pmoss’
> personal password? Thoughts ?
Because it is a different part of the tree.
Did you use ipa-advise to get the configuration? If so which profile?
It looks like that recommends using the compat tree. It's been forever
since I've manually configured a RHEL 5 system so I don't know if that
is correct or not.
I'm pretty sure that nss_ldap supports RFC2307bis but it's really just a
distant memory.
rob
> *Jeffrey Stormshak, RHCSA | Sr. Linux Engineer*
>
> Platform Systems | IT Operations Infrastructure
>
> CCC Information Services, Inc.
>
> Phone: (312) 229-2552
>
>
> From: Jakub Hrozek <jhrozek at redhat.com <mailto:jhrozek at redhat.com>>
> Date: Monday, November 23, 2015 at 1:58 AM
> To: Jeffrey Stormshak <jstormshak at cccis.com <mailto:jstormshak at cccis.com>>
> Cc: Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>>,
> "freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>"
> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
> Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
>
> On Sat, Nov 21, 2015 at 02:21:52AM +0000, Jeffrey Stormshak wrote:
>
> Rob -
> Here’s the test configurations/data when I manipulate the
> BINDDN/BINDPW fields to get get both AUTH and SUDO to work in Linux
> 5.5. I have three questions below that I would like to get your
> comments on or see what you may recommend on this. I’m seriously
> perplexed on this as to why its working this way … Please
> advise. Thanks!
> **************************************************************
> AUTH successful on login; SUDO fails with the message listed
> below !!
> **************************************************************
> [mjsmith at chi-infra-idm-client2 ~]$ sudo -l
> sudo: ldap_sasl_bind_s(): Server is unwilling to perform
>
>
> Looks like the bind didn't finish successfully, can you look into
> debugging sudo itself? The debugging changed a bit between releases, but
> The sudo documentation would tell you..
>
> [sudo] password for mjsmith:
> Sorry, user mjsmith may not run sudo on chi-infra-idm-client2.
> *****************************************************
> *****************************************************
> # grep -iv ‘#’ /etc/ldap.conf
> *****************************************************
> base dc=linuxcccis,dc=com
> uri ldap://chi-infra-idm-p1.linuxcccis.com/
> binddn uid=admin,cn=users,cn=compat,dc=linuxcccis,dc=com
> bindpw secret_pass
> timelimit 15
> bind_timelimit 5
> idle_timelimit 3600
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
> pam_password md5
> sudoers_base ou=SUDOers,dc=linuxcccis,dc=com
> *************************************************
> User Account AUTH and SUDO works when
> commenting both the binddn and bindpw fields !!
> *************************************************
> vi /etc/ldap.conf … Comment these two fields …
> #binddn uid=admin,cn=users,cn=compat,dc=linuxcccis,dc=com
> #bindpw secret_pass
> ************************************************
> This file unchanged during the above testing !!
> ************************************************
> /etc/sudo-ldap.conf:
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=linuxcccis,dc=com
> bindpw secret_pass
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
> bind_timelimit 5
> timelimit 15
> uri ldap://chi-infra-idm-p1.linuxcccis.com
> sudoers_base ou=SUDOers,dc=linuxcccis,dc=com
> QUESTIONS:
> 1) What BINDN account needs to be specified to allow the
> BINDDN/BINDPW to work for SUDO?
> 2) Why does the AUTH work when setting values in the BINDDN/BINDPW,
> but SUDO then fails?
> 3) If I leave BINDDN/BINDPW blank, what security risks are being
> introduced by leaving it that way?
>
>
> Anyone on the network can read sudo rules. I guess in theory, the
> attacker might target accounts who are allowed to run sudo rules as a
> gateway for getting elevated privileges on the machine..
>
More information about the Freeipa-users
mailing list