StarlingX

ldapsearch with -H requires sudo

Bug #1993734 reported by Andy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Andy

Bug Description

Brief Description
-----------------
On Debian based STX system, running ldapsearch with -H as non-root user requires sudo to succeed.

Severity
--------
Minor: System/Feature is usable with minor issue

Steps to Reproduce
------------------
1)On Debian based STX system, the ldapsearch with -H option doesn't work without sudo

[sysadmin@controller-0 ~(keystone_admin)]$ ldapsearch -x -b "ou=People,dc=cgcs,dc=local" -H ldaps://controller
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[sysadmin@controller-0 ~(keystone_admin)]$

where the command works without requiring sudo on CentOS based system.

Expected Behavior
------------------
ldapsearch works without sudo option

Actual Behavior
----------------
ldapsearch without sudo fails

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
STX master latest

Last Pass
---------
STX 5.0

Timestamp/Logs
--------------
Refer to "Steps to Reproduce"

Test Activity
-------------
Developer Testing

Workaround
----------
Copy /etc/ldap/ldap.conf to /home/sysadmin/.ldaprc

Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/862186

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/862186
Committed: https://opendev.org/starlingx/stx-puppet/commit/f23c001f529113749c9258c585d99cea373c517d
Submitter: "Zuul (22348)"
Branch: master

commit f23c001f529113749c9258c585d99cea373c517d
Author: Andy Ning <email address hidden>
Date: Thu Oct 20 14:38:36 2022 -0400

    Fix ldapsearch require sudo

    Currently ldapsearch with non-root user will query openldap on
    the insecure port (389), ldapsearch with "-H ldaps://<domain>"
    will fail. This is because when non-root user runs ldapsearch,
    it will look for a user specific configuration file (rather
    than the system wide one at /etc/ldap/ldap.conf), and if there
    is no one, it will use internal default.

    This change added a ldap configuration file for sysadmin.

    Test Plan:
    PASS: system deployment
    PASS: On AIO-SX system, query openldap users as sysadmin by
          ldapsearch -xH ldaps://controller -b "ou=People,
          dc=cgcs,dc=local"
          Verify the query complete successfully.
    PASS: On AIO-SX system, query openldap users as sysadmin by
          ldapsearch -x -b "ou=People,dc=cgcs,dc=local -d 1"
          Verify the query is on secure port (636) and complete
          successfully.
    PASS: On DC subcloud, query openldap users as sysadmin by
          ldapsearch -xH ldaps://<system controller mgmt IP>
          -b "ou=People,dc=cgcs,dc=local"
          Verify the query complete successfully.
    PASS: On DC subcloud, query openldap users as sysadmin by
          ldapsearch -x -b "ou=People,dc=cgcs,dc=local -d 1"
          Verify the query is on secure port (636) and complete
          successfully.

    Closes-Bug: 1993734
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: I25e49235cfc743fc2938f973cf0cc4b3859a4d49

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.8.0 stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.