RSS feed

Re: sudo-ldap support

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: sudo-ldap support

On Thu, 2010-08-26 at 23:14 +0200, Joke de Buhr wrote:
> newer versions of sudo (sudo-ldap with ldap support enabled) use 
> /etc/ldap.conf to configure basic ldap settings. The format is
> basically the same as the old pam-ldap (the new nslcd.conf) format.
> sudo just added some directives like:
>     sudoers_base    dc=ldap,dc=domain
> Other options such as "uri", "ldap_version", "ssl", etc. were copied.
> sudo ignores unknown options like the new option "rootpwmoddn".
> It would be nice if nss-pam-ldapd would do the same and ignore unknown
> options or recognize the sudo options. This way the configuration
> files could be identical or could be link. Currently nss-pam-ldapd
> terminates with an error message.

If you really want this you can build a version of nss-pam-ldapd which
does just that. Just use:
  ./configure --with-ldap-conf-file=/etc/ldap.conf --disable-configfile-checking

However, there are a number of options in nslcd.conf that may work
unexpectedly and are not meant to conform to the usual syntax of stuff
in ldap.conf: threads, uid, rootpwmoddn, filter and map are the most
common ones that are not clearly prefixed. Also the syntax and semantics
of some of the options may be slightly different from the options with
the same name in the old nss_ldap and pam_ldap.

Also it is not always clear which options are exactly parsed. For
instance if you configure TLS do all of the applications that
use /etc/ldap.conf then use and support that? Also how do you know (as a
system administrator) which applications exactly use this file?

Also, I think it is a bad idea to mix options that are meant as defaults
for various LDAP operations to be used as a configuration file for a
daemon. For one, there are very different security requirements. For
instance if you want to have a bindpw option in the file you should not
make it world readable, which could cause problems for other LDAP

Since most configuration errors are silently ignored for the file it is
very hard to detect configuration problems. This is not what you want if
it comes to user account access and root access in the sudo case (e.g. a
typo in the pam_authz_search option name could leave your system wide
open to unauthorised users).

Also, nslcd takes measures so that the OpenLDAP library does not
parse /etc/ldap.conf (and consequently ldaprc files and environment
variables amongst other things) so as not to have an unexpected
configuration depending on the environment or current directory the
daemon is started from.

If you want to centralise the configuration you could implement a sudo
module for nslcd that would provide the information from LDAP.

Hope this clarifies the reason for a separate configuration file and the
syntax checking of that file for nslcd.

-- arthur - - --
To unsubscribe send an email to or see