SSSD not using 389-ds to auth for SUDO

I have the following in my /etc/sssd/sssd.conf

[sssd]
services = nss, pam, sudo, ssh
config_file_version = 2
domains = default

[nss]
homedir_substring = /home

[sudo]
debug_level = 7

[pam]
offline_credentials_expiration = 60

[domain/default]
# If you have large groups (IE 50+ members), you should set this to True
ignore_group_members = False
debug_level=3
cache_credentials = True
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=andrewcz,dc=com
# We strongly recommend ldaps here.
# We may be able to do this soon with ldapi:
# ldap_uri = ldapi://%%2fvar%%2frun%%2fslapd-localhost.socket
# but it is hung up currently on https://github.com/SSSD/sssd/pull/6484
ldap_uri = ldaps://backburner.hub.andrewcz.com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/certs/HUB_net_CA.crt
ldap_access_filter = (|(memberof=cn=backburner,ou=groups,dc=andrewcz,dc=com))
enumerate = false
ldap_user_member_of = memberof
ldap_user_gecos = cn
ldap_user_uuid = nsUniqueId
ldap_group_uuid = nsUniqueId
# This is really important as it allows SSSD to respect nsAccountLock
ldap_account_expire_policy = rhds
ldap_access_order = filter, expire
ldap_search_timeout = 50
ldap_network_timeout = 60

# Setup for ssh keys
# Inside /etc/ssh/sshd_config add the lines:
#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
#   AuthorizedKeysCommandUser nobody
# You can test with the command: sss_ssh_authorizedkeys <username>
# The objectClass: nsAccount holds this attribute.
ldap_user_ssh_public_key = nsSshPublicKey

# Setup for sudo
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=andrewcz,dc=com
ldap_sudorule_object_class = sudoRole

I have the following in /etc/nsswitch.conf

# Generated by authselect on Sat Apr  8 00:01:40 2023
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.

# In order of likelihood of use to accelerate lookup.
passwd:     files sss systemd
shadow:     files
group:      files sss systemd
hosts:      files myhostname resolve [!UNAVAIL=return] dns
services:   files sss
netgroup:   files sss
automount:  files sss

aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files
sudoers:        files sss

And the following in LDAP:

[root@backburner ~]# ldapsearch -H ldaps://localhost:636 -D "cn=Directory Manager" -W -b ou=sudoers,dc=andrewcz,dc=com                                                                                                                [4/1022]
Enter LDAP Password:                                                                                                                                                                                                                          
# extended LDIF                                                                                                                                                                                                                               
#                                                                                                                                                                                                                                             
# LDAPv3                                                                                                                                                                                                                                      
# base <ou=sudoers,dc=andrewcz,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# sudoers, andrewcz.com
dn: ou=sudoers,dc=andrewcz,dc=com
objectClass: top
objectClass: organizationalUnit
ou: sudoers

# %sysadmins, sudoers, andrewcz.com
dn: cn=%sysadmins,ou=sudoers,dc=andrewcz,dc=com
objectClass: top
objectClass: sudorole
cn: %sysadmins
sudoHost: ALL
sudoCommand: ALL
description: Allow sysadmins to run all commands as any
sudoRunAsUser: ALL
sudoUser: %sysadmins

# defaults, sudoers, andrewcz.com
dn: cn=defaults,ou=sudoers,dc=andrewcz,dc=com
objectClass: top
objectClass: sudorole
cn: defaults
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAG
 ES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORI
 TY"
sudoOption: env_keep+=SSH_AUTH_SOCK
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin

# andrewcz, sudoers, andrewcz.com
dn: cn=andrewcz,ou=sudoers,dc=andrewcz,dc=com
objectClass: top
objectClass: sudorole
cn: andrewcz
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: andrewcz

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

And here is the query which I see sssd performing:

[root@backburner ~]# tail /var/log/sssd/sssd_sudo.log
(2023-04-08 20:15:40): [sudo] [sysdb_get_sudo_user_info] (0x0400): [CID#1] Original name: andrewcz@default
(2023-04-08 20:15:40): [sudo] [sysdb_get_sudo_user_info] (0x0400): [CID#1] Cased name: andrewcz@default
(2023-04-08 20:15:40): [sudo] [sudosrv_query_cache] (0x0200): [CID#1] Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1680999340)(|(name=defaults)(sudoUser=ALL)(sudoUser=andrewcz@default)(sudoUser=#1024)(sudoUser=%sysadmins@default)(sudoUser=%vod_mgmt@default)(sudoUser=%media@default)(sudoUser=%andrewcz@default)(sudoUser=%andrewcz@default)(sudoUser=+*)))]
(2023-04-08 20:15:40): [sudo] [sudosrv_refresh_rules_send] (0x0400): [CID#1] No expired rules were found for [andrewcz@default@default].
(2023-04-08 20:15:40): [sudo] [sudosrv_fetch_rules] (0x0400): [CID#1] Retrieving rules for [andrewcz@default@default]
(2023-04-08 20:15:40): [sudo] [sudosrv_query_cache] (0x0200): [CID#1] Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=andrewcz@default)(sudoUser=#1024)(sudoUser=%sysadmins@default)(sudoUser=%vod_mgmt@default)(sudoUser=%media@default)(sudoUser=%andrewcz@default)(sudoUser=%andrewcz@default)))]
(2023-04-08 20:15:40): [sudo] [sudosrv_cached_rules_by_user] (0x0400): [CID#1] Replacing sudoUser attribute with sudoUser: #1024
(2023-04-08 20:15:40): [sudo] [sudosrv_query_cache] (0x0200): [CID#1] Searching sysdb with [(&(objectClass=sudoRule)(sudoUser=+*)(!(|(sudoUser=ALL)(sudoUser=andrewcz@default)(sudoUser=#1024)(sudoUser=%sysadmins@default)(sudoUser=%vod_mgmt@default)(sudoUser=%media@default)(sudoUser=%andrewcz@default)(sudoUser=%andrewcz@default))))]
(2023-04-08 20:15:40): [sudo] [sudosrv_fetch_rules] (0x0400): [CID#1] Returning 0 rules for [andrewcz@default@default]
(2023-04-08 20:15:40): [sudo] [client_recv] (0x0200): [CID#1] Client disconnected!

So two questions on the LDAP query:

1. Why is it still using “sudoRule” instead of “sudoRole”? (sudoRole is default on 389-ds, I would expect that to be standardized throughout the distro)
2. Why is it querying “andrewcz@default”

I think the answer to my two above questions will help me determine at which point to start troubleshooting. I have not thusfar found an explanation for either question above, which would be most welcome.

So it turns out the ou that I was trying to access didn’t have the 389ds ACIs that would allow anonymous binds, much less any other user to access entries in that ou.

The thing that tipped me off was running the query that was in /var/log/sssd/sssd_default.log after enabling debug_level = 9 (probably overkill) into the [sudo] section of /etc/sssd/sssd.conf.

I was able to get this working with the following ACI:

(targetattr="cn || objectClass || sudoCommand || sudoHost || sudoNotAfter || sudoNotBefore || sudoOption || sudoOrder || sudoRunAs || sudoRunAsGroup || sudoRunAsUser || sudoUser || description")(targetfilter="(objectClass=sudoRole)")(version 3.0; acl "Enable anyone sudoers rule read"; allow(read,search,compare) (userdn="ldap:///anyone");)

YMMV, but this appears to be working for me