Hi thanks for your tips support, I follow your tips and also find a RedHat document -> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm...
In short words: - follow the instructions - enable logging (sudoers_debug 2) -> got the following result: sudo rule for host group does not match because ldap search for hosts instead of host groups :-(
ipa-lx-test-debian9% sudo -l sudo: LDAP Config Summary sudo: =================== sudo: uri ldaps://ipa-lx-test-01.example.world.com sudo: uri ldap://ipa-prod-01.example.world.com sudo: ldap_version 3 sudo: sudoers_base ou=SUDOers,dc=example,dc=world,dc=com sudo: search_filter (objectClass=sudoRole) sudo: netgroup_base (NONE: will use nsswitch) sudo: netgroup_search_filter (objectClass=nisNetgroup) sudo: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=world,dc=com sudo: bindpw MySecurePassword sudo: bind_timelimit 5 sudo: timelimit 15 sudo: ssl (no) sudo: tls_checkpeer (yes) sudo: tls_cacertfile /etc/ipa/ca.crt sudo: =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_initialize(ld, ldaps://ipa-lx-test-01.example.world.com ldap://ipa-prod-01.example.world.com) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults)) sudo: no default options found in ou=SUDOers,dc=example,dc=world,dc=com sudo: ldap search '(&(objectClass=sudoRole)(|(sudoUser=webtrekk)(sudoUser=%webtrekk)(sudoUser=%#299801104)(sudoUser=%domänen-benutzer)(sudoUser=%mitarbeiter)(sudoUser=%wt-it-warp)(sudoUser=%wt-it)(sudoUser=%ad_users)(sudoUser=%wt-it-warp)(sudoUser=%#299800513)(sudoUser=%#299801109)(sudoUser=%#299801114)(sudoUser=%#299801116)(sudoUser=%#556800008)(sudoUser=%#556800012)(sudoUser=ALL)))' sudo: searching from base 'ou=SUDOers,dc=example,dc=world,dc=com' sudo: adding search result sudo: ldap sudoHost '+centos_group' ... not sudo: ldap sudoHost '+debian_group' ... not sudo: ldap sudoHost '+ubuntu_group' ... not sudo: result now has 0 entries sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=)(sudoUser=+))' sudo: searching from base 'ou=SUDOers,dc=example,dc=world,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: perform search for pwflag 54 sudo: done with LDAP searches sudo: user_matches=true sudo: host_matches=false sudo: sudo_ldap_lookup(54)=0x84 [sudo] Password for user: