# [SOLVED] sudo with ldap not finding entries

## wellwhoopdedooo

OK, this has driven me crazy forever, through multiple versions of sudo and openldap, and I'm at the end of my rope.

I have a sudo configured to pull entries from LDAP, and it's doing the search, from what I can tell the correct search, but I get nothing. But let's see the results:

/etc/ldap.conf.sudo:

```
  1 TLS_CACERT /etc/ssl/certs/lepertheory.pem

  2

  3 bind_policy soft

  4 nss_connect_policy oneshot

  5

  6 ssl start_tls

  7 ssl on

  8

  9 suffix "dc=lepertheory,dc=net"

 10 uri    ldaps://ldap.lepertheory.net/ ldaps://ldap-slave1.lepertheory.net/

 11

 12 ldap_version 3

 13 pam_filter           objectclass=posixAccount

 14 pam_login_attribute  uid

 15 pam_member_attribute memberuid

 16 pam_check_host_attr  yes

 17

 18 base         "dc=lepertheory,dc=net"

 19 sudoers_base "ou=sudoers,dc=lepertheory,dc=net"

 20

 21 sudoers_debug 2

 22

 23 nss_base_passwd ou=People,dc=lepertheory,dc=net

 24 nss_base_shadow ou=People,dc=lepertheory,dc=net

 25 nss_base_group  ou=Groups,dc=lepertheory,dc=net

 26 nss_base_hosts  ou=Hosts,dc=lepertheory,dc=net

 27

 28 scope one
```

sudo debug:

```
davec@albania ~ $ sudo ls

LDAP Config Summary

===================

uri          ldaps://ldap.lepertheory.net/ ldaps://ldap-slave1.lepertheory.net/

ldap_version 3

sudoers_base "ou=sudoers,dc=lepertheory,dc=net"

binddn       (anonymous)

bindpw       (anonymous)

ssl          on

===================

sudo: ldap_initialize(ld, ldaps://ldap.lepertheory.net/ ldaps://ldap-slave1.lepertheory.net/)

sudo: ldap_set_option: debug -> 0

sudo: ldap_set_option: ldap_version -> 3

sudo: ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)

sudo: ldap_simple_bind_s() ok

sudo: no default options found!

sudo: ldap search '(|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))'

sudo: nothing found for '(|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))'

sudo: ldap search 'sudoUser=+*'

sudo: nothing found for 'sudoUser=+*'

sudo: user_matches=0

sudo: host_matches=0

sudo: sudo_ldap_check(0)=0x44

Password:

davec is not in the sudoers file.  This incident will be reported.
```

ldap search with what I believe is exactly the same query as ldapsearch is executing:

```
davec@albania ~ $ ldapsearch -s one -x -b "ou=sudoers,dc=lepertheory,dc=net" '(|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))'

# extended LDIF

#

# LDAPv3

# base <ou=sudoers,dc=lepertheory,dc=net> with scope oneLevel

# filter: (|(sudoUser=davec)(sudoUser=%users)(sudoUser=%wheel)(sudoUser=ALL))

# requesting: ALL

#

# Defaults:%users, sudoers, lepertheory.net

dn: cn=Defaults:%users,ou=sudoers,dc=lepertheory,dc=net

objectClass: top

objectClass: sudoRole

cn: Defaults:%users

sudoUser: %users

sudoHost: env_keep

sudoCommand: TZ

# %wheel, sudoers, lepertheory.net

dn: cn=%wheel,ou=sudoers,dc=lepertheory,dc=net

objectClass: top

objectClass: sudoRole

cn: %wheel

sudoUser: %wheel

sudoHost: ALL

sudoCommand: (ALL) ALL

sudoOption: !authenticate

# search result

search: 2

result: 0 Success

# numResponses: 3

# numEntries: 2
```

slapd debug from sudo:

```
>>> slap_listener(ldaps://)

connection_get(18): got connid=81

connection_read(18): checking for input on id=81

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:error in SSLv3 read client certificate A

TLS trace: SSL_accept:error in SSLv3 read client certificate A

connection_get(18): got connid=81

connection_read(18): checking for input on id=81

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_read(18): unable to get TLS client DN, error=49 id=81

connection_get(18): got connid=81

connection_read(18): checking for input on id=81

ber_get_next

ber_get_next: tag 0x30 len 12 contents:

do_bind

ber_get_next

ber_scanf fmt ({imt) ber:

ber_scanf fmt (m}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: version=3 dn="" method=128

send_ldap_result: conn=81 op=0 p=3

send_ldap_response: msgid=1 tag=97 err=0

ber_flush: 14 bytes to sd 18

do_bind: v3 anonymous bind

connection_get(18): got connid=81

connection_read(18): checking for input on id=81

ber_get_next

ber_get_next: tag 0x30 len 74 contents:

do_search

ber_scanf fmt ({miiiib) ber:

>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">

do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")

send_ldap_result: conn=81 op=1 p=3

send_ldap_response: msgid=2 tag=101 err=34

ber_get_next

ber_flush: 24 bytes to sd 18

connection_get(18): got connid=81

connection_read(18): checking for input on id=81

ber_get_next

ber_get_next: tag 0x30 len 137 contents:

do_search

ber_scanf fmt ({miiiib) ber:

>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">

do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")

send_ldap_result: conn=81 op=2 p=3

send_ldap_response: msgid=3 tag=101 err=34

ber_get_next

ber_flush: 24 bytes to sd 18

connection_get(18): got connid=81

connection_read(18): checking for input on id=81

ber_get_next

ber_get_next: tag 0x30 len 75 contents:

do_search

ber_scanf fmt ({miiiib) ber:

>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">

do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")

send_ldap_result: conn=81 op=3 p=3

send_ldap_response: msgid=4 tag=101 err=34

ber_get_next

ber_flush: 24 bytes to sd 18

connection_get(18): got connid=81

connection_read(18): checking for input on id=81

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

do_unbind

ber_get_next

connection_closing: readying conn=81 sd=18 for close

connection_resched: attempting closing conn=81 sd=18

connection_close: conn=81 sd=18

TLS trace: SSL3 alert write:warning:close notify

>>> slap_listener(ldaps://)

connection_get(18): got connid=82

connection_read(18): checking for input on id=82

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:error in SSLv3 read client certificate A

TLS trace: SSL_accept:error in SSLv3 read client certificate A

connection_get(18): got connid=82

connection_read(18): checking for input on id=82

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_read(18): unable to get TLS client DN, error=49 id=82

connection_get(18): got connid=82

connection_read(18): checking for input on id=82

ber_get_next

ber_get_next: tag 0x30 len 12 contents:

do_bind

ber_get_next

ber_scanf fmt ({imt) ber:

ber_scanf fmt (m}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: version=3 dn="" method=128

send_ldap_result: conn=82 op=0 p=3

send_ldap_response: msgid=1 tag=97 err=0

ber_flush: 14 bytes to sd 18

do_bind: v3 anonymous bind

connection_get(18): got connid=82

connection_read(18): checking for input on id=82

ber_get_next

ber_get_next: tag 0x30 len 218 contents:

do_search

ber_scanf fmt ({miiiib) ber:

>>> dnPrettyNormal: <ou=People,dc=lepertheory,dc=net>

<<< dnPrettyNormal: <ou=People,dc=lepertheory,dc=net>, <ou=people,dc=lepertheory,dc=net>

ber_scanf fmt ({mm}) ber:

ber_scanf fmt ({mm}) ber:

ber_scanf fmt ({M}}) ber:

==> limits_get: conn=82 op=1 dn="[anonymous]"

=> bdb_search

bdb_dn2entry("ou=people,dc=lepertheory,dc=net")

search_candidates: base="ou=people,dc=lepertheory,dc=net" (0x00000002) scope=2

=> bdb_dn2idl("ou=people,dc=lepertheory,dc=net")

<= bdb_dn2idl: id=6 first=2 last=15

=> bdb_equality_candidates (objectClass)

=> key_read

<= bdb_index_read: failed (-30989)

<= bdb_equality_candidates: id=0, first=0, last=0

=> bdb_equality_candidates (objectClass)

=> key_read

<= bdb_index_read 6 candidates

<= bdb_equality_candidates: id=6, first=4, last=15

=> bdb_equality_candidates (uid)

=> key_read

<= bdb_index_read 1 candidates

<= bdb_equality_candidates: id=1, first=4, last=4

bdb_search_candidates: id=1 first=4 last=4

=> send_search_entry: conn 82 dn="uid=davec,ou=People,dc=lepertheory,dc=net"

ber_get_next

ber_flush: 68 bytes to sd 18

<= send_search_entry: conn 82 exit.

send_ldap_result: conn=82 op=1 p=3

send_ldap_response: msgid=2 tag=101 err=0

ber_flush: 14 bytes to sd 18

connection_get(18): got connid=82

connection_read(18): checking for input on id=82

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

do_unbind

ber_get_next

connection_closing: readying conn=82 sd=18 for close

connection_resched: attempting closing conn=82 sd=18

connection_close: conn=82 sd=18

TLS trace: SSL3 alert write:warning:close notify
```

ldap debug from ldapsearch:

```
>>> slap_listener(ldap://)

connection_get(18): got connid=88

connection_read(18): checking for input on id=88

ber_get_next

ber_get_next: tag 0x30 len 12 contents:

do_bind

ber_get_next

ber_scanf fmt ({imt) ber:

ber_scanf fmt (m}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: version=3 dn="" method=128

send_ldap_result: conn=88 op=0 p=3

send_ldap_response: msgid=1 tag=97 err=0

ber_flush: 14 bytes to sd 18

do_bind: v3 anonymous bind

connection_get(18): got connid=88

connection_read(18): checking for input on id=88

ber_get_next

ber_get_next: tag 0x30 len 135 contents:

do_search

ber_scanf fmt ({miiiib) ber:

>>> dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>

<<< dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>, <ou=sudoers,dc=lepertheory,dc=net>

ber_scanf fmt ({mm}) ber:

ber_scanf fmt ({mm}) ber:

ber_scanf fmt ({mm}) ber:

ber_scanf fmt ({mm}) ber:

ber_scanf fmt ({M}}) ber:

==> limits_get: conn=88 op=1 dn="[anonymous]"

=> bdb_search

bdb_dn2entry("ou=sudoers,dc=lepertheory,dc=net")

search_candidates: base="ou=sudoers,dc=lepertheory,dc=net" (0x00000009) scope=1

=> bdb_dn2idl("ou=sudoers,dc=lepertheory,dc=net")

<= bdb_dn2idl: id=4 first=10 last=13

=> bdb_equality_candidates (objectClass)

=> key_read

<= bdb_index_read: failed (-30989)

<= bdb_equality_candidates: id=0, first=0, last=0

=> bdb_equality_candidates (sudoUser)

<= bdb_equality_candidates: (sudoUser) not indexed

=> bdb_equality_candidates (sudoUser)

<= bdb_equality_candidates: (sudoUser) not indexed

=> bdb_equality_candidates (sudoUser)

<= bdb_equality_candidates: (sudoUser) not indexed

=> bdb_equality_candidates (sudoUser)

<= bdb_equality_candidates: (sudoUser) not indexed

bdb_search_candidates: id=-1 first=10 last=13

bdb_search: 10 does not match filter

=> send_search_entry: conn 88 dn="cn=Defaults:%users,ou=sudoers,dc=lepertheory,dc=net"

ber_get_next

ber_flush: 188 bytes to sd 18

<= send_search_entry: conn 88 exit.

bdb_search: 12 does not match filter

=> send_search_entry: conn 88 dn="cn=%wheel,ou=sudoers,dc=lepertheory,dc=net"

ber_flush: 204 bytes to sd 18

<= send_search_entry: conn 88 exit.

send_ldap_result: conn=88 op=1 p=3

send_ldap_response: msgid=2 tag=101 err=0

ber_flush: 14 bytes to sd 18

connection_get(18): got connid=88

connection_read(18): checking for input on id=88

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

do_unbind

ber_get_next

ber_get_next on fd 18 failed errno=0 (Success)

connection_closing: readying conn=88 sd=18 for close

connection_close: deferring conn=88 sd=18

connection_resched: attempting closing conn=88 sd=18

connection_close: conn=88 sd=18
```

As you can see the two slapd outputs are pretty different, but I think the problem comes down to this:

sudo debug:

```
>>> dnPrettyNormal: <"ou=sudoers,dc=lepertheory,dc=net">

do_search: invalid dn ("ou=sudoers,dc=lepertheory,dc=net")
```

ldapsearch debug:

```
>>> dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>

<<< dnPrettyNormal: <ou=sudoers,dc=lepertheory,dc=net>, <ou=sudoers,dc=lepertheory,dc=net>
```

So... what's up with that? I was thinking maybe there was a typo that I wasn't seeing, but I've copied and pasted the base and query into ldapsearch, and that's exactly what it returns.

I'm completely baffled. Please help.Last edited by wellwhoopdedooo on Sun Aug 10, 2008 7:08 pm; edited 1 time in total

----------

## Janne Pikkarainen

 *wellwhoopdedooo wrote:*   

> OK, this has driven me crazy forever, through multiple versions of sudo and openldap, and I'm at the end of my rope.
> 
> ```
> 
>  18 base         "dc=lepertheory,dc=net"
> ...

 

Remove the quotes from those lines, so they will be

```
base     dc=lepertheory,dc=net

sudoers_base ou=sudoers,dc=lepertheory,dc=net
```

----------

## wellwhoopdedooo

Oh. My. God.

If you had any idea how long I've fought with this...

Thank you thank you thank you.

Strange thing is, the quotes work with no complaint with nss_ldap. Anyway, thanks!

----------

## Janne Pikkarainen

 *wellwhoopdedooo wrote:*   

> Oh. My. God.
> 
> If you had any idea how long I've fought with this...
> 
> Thank you thank you thank you.
> ...

 

No problem! Please add SOLVED to the topic of this message.  :Wink: 

----------

