Implementing LDAP
Jim Wildman
jim at rossberry.com
Sat Jan 25 14:44:34 EST 2003
Thanks for the hack. I'll try it out next week at work.
------------------------------------------------------------------------
Jim Wildman, CISSP, RHCE jim at rossberry.com
http://www.rossberry.com
On Sat, 25 Jan 2003, Aaron Spangler wrote:
> I am almost finished with my LDAP backend to SUDO. It replaces the
> parsing files. I wanted to get some feedback from the community to help
> collaborate if people are already doing something similar so that the
> schemas would be compatable.
>
> I am thinking about two compile time directives.
>
> The first includes LDAP plus the local /etc/sudoers file. (Sort of Like
> /etc/passwd + NIS passwd) The only problem with this option is that
> then you have to audit both a local configuration file and an LDAP store
> in order to verify that people haven't been given unauthorized access.
> Although this would be the nicest since one build could work in both
> standalone or LDAP or hybrid environments. (so if permission was
> granted from either, you would have access).
>
> The second mode disables the local mode. I have played around with not
> even including any of the parsing files (lex.yy.c, parse.c, sudo.tab.c,
> etc). We had one problem where the sudoers file was on a NFS share, and
> an user on one box used sudo to get local root and then modified the
> remote sudoers file and then granted themselves access to all systems.
> (Yes, - I know remote mounted sudoers is bad, but when you got several
> hundered machines - how else do you sync them up?) So in this mode,
> there is NO LOCAL file. Currently I am compiling the LDAP server URL in
> to the binary. Maybe we could read /etc/ldap.conf so that it would be
> compatable with pam_ldap or nss_ldap that would be running on the same
> system. Currently the pam_ldap code parser is under the GPL instead of
> the BSD-Style license, but I might have some code that I can contribue
> that would do essentially the same parsing.
>
> Thoughts? Ideas? Please reply to the group.
>
> -Aaron
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list