SSSD not using 389-ds to auth for SUDO

Hello All,

ldapsearch output as follows:

# LDAPAdministrator1, Groups, cee, nsn
dn: cn=LDAPAdministrator1,ou=Groups,ou=cee,o=nsn
member: uid=bindu1,ou=People,ou=cee,o=nsn
member: uid=bindu2,ou=People,ou=cee,o=nsn
objectClass: top
objectClass: groupofnames
objectClass: posixGroup
objectClass: nsMemberOf
cn: LDAPAdministrator1
gidNumber: 1520
 
# %LDAPAdministrator1, Groups, cee, nsn
dn: cn=%LDAPAdministrator1,ou=Groups,ou=cee,o=nsn
cn: %LDAPAdministrator1
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoRunAsUser: ALL
sudoUser: %LDAPAdministrator1

/etc/sssd/sssd.conf


[nss]
enum_cache_timeout = 30
filter_users = root
filter_groups = root
reconnection_retries = 3
memcache_timeout = 3600
 
[pam]
offline_credentials_expiration = 3
offline_failed_login_attempts = 5
 
[sudo]
debug_level = 9
 
[ssh]
 
[domain/cee]
debug_level = 9
full_name_format = %1$s
min_id = 1500
max_id = 41999
enumerate = true
cache_credentials = true
account_cache_expiration = 5
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://lcm-int-vip
ldap_tls_reqcert = demand
ldap_tls_cacert = /var/lib/pki/endpoints/sssd/cacert/infrastructure-chain.pem
ldap_id_use_start_tls = true
ldap_enumeration_refresh_timeout = 10
ldap_purge_cache_timeout = 60
entry_cache_timeout = 600
ldap_network_timeout = 2
ldap_user_search_base = ou=People,ou=cee,o=nsn
ldap_schema = rfc2307bis
ldap_default_bind_dn = uid=sssdadmin_infra,ou=ServiceUsers,ou=cee,o=nsn
ldap_default_authtok_type = password
ldap_default_authtok = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = description
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_ns_account_lock = nsAccountLock
ldap_user_ssh_public_key = sshPublicKey
ldap_group_object_class = posixGroup
ldap_group_name = cn
ldap_group_gid_number = gidNumber
ldap_group_member = member
ldap_pwd_policy = none
ldap_account_expire_policy = 389ds
ldap_access_order = filter, expire
ldap_access_filter = (|(memberOf=cn=group1,ou=groups,ou=cee,o=nsn)(memberOf=cn=LDAPAdministrator1,ou=Groups,ou=cee,o=nsn))
sudo_provider = ldap
ldap_sudo_search_base = cn=%LDAPAdministrator1,ou=Groups,ou=cee,o=nsn

when I try to run sudo su command it’s prompting for password and in the logs I can see

(2024-01-19 15:32:59): [sudo] [cache_req_done] (0x0400): CR #13: Finished: Success
(2024-01-19 15:32:59): [sudo] [sysdb_get_sudo_user_info] (0x0400): Original name: bindu2@cee
(2024-01-19 15:32:59): [sudo] [sysdb_get_sudo_user_info] (0x0400): Cased name: bindu2@cee
(2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1705674779)(|(name=defaults)(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee)(sudoUser=+)))]
(2024-01-19 15:32:59): [sudo] [sudosrv_refresh_rules_send] (0x0400): No expired rules were found for [bindu2@cee@cee].
(2024-01-19 15:32:59): [sudo] [sudosrv_fetch_rules] (0x0400): Retrieving rules for [bindu2@cee@cee]
(2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee)))]
(2024-01-19 15:32:59): [sudo] [sudosrv_cached_rules_by_user] (0x0400): Replacing sudoUser attribute with sudoUser: #1602
(2024-01-19 15:32:59): [sudo] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(sudoUser=+
)(!(|(sudoUser=ALL)(sudoUser=bindu2@cee)(sudoUser=#1602)(sudoUser=%LDAPAdministrator1@cee)(sudoUser=%LDAP\20Users@cee))))]
(2024-01-19 15:32:59): [sudo] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [bindu2@cee@cee]
(2024-01-19 15:32:59): [sudo] [sudosrv_build_response] (0x2000): error: [0]
(2024-01-19 15:32:59): [sudo] [sudosrv_build_response] (0x2000): rules_num: [0]

Any help is highly appreciated.

Why do you use full_name_format = %1$s?

You forced SSSD to use fully qualified names in LDAP searches, so as a result it looks up both users and groups with @cee suffix.

SSSD has own mailing list for users: sssd-users - Fedora Mailing-Lists

1 Like