[sudo-users] sudo-ldap and sasl/external
Vasiliy Molostov
molostoff at gmail.com
Thu May 31 23:09:57 EDT 2012
Hi!
I have a question on how to configure sudo-ldap with SASL/EXTERNAL
authentication, as used by ldap-utils (such as ldapsearch -Y EXTERNAL does)?
I have tried to do the same with sudo-ldap but was unsuccessful, since it
always try to use binddn and bindpw, and if these are not specified sudo uses
anonymous bind to ldap server. This behavior makes connection to ldapi:///
without specifying ldap passwords unsuccessful, and if ldap server does not
honor to reply to anonymous queries about sudoers, it makes all things worse.
I have tried to chmod 400 /etc/sudo-ldap.conf file owned by root and a regular
user was able to execute sudo and sudo itself was capable to get these
settings to read. So as I understand sodo is capable to suid and make
authenticated bind with 'simple' SASL method ('simple' sasl mech refers to
ldap-utils method mostly applicable when connecting to ldapi:///)
If some one can help here I will be very happy, thanks!
A second question I have is more distribution related: in Ubuntu precise sudo-
ldap package installs /etc/sudo-ldap.conf as a soft link to
/etc/ldap/ldap.conf and provides this as its own configuration file.
The /etc/ldap/ldap.conf file that currently holds system wide settings to
ldap-utils (client tools) and thus it is system wide readable. At the same
time sudo-ldap stores its secure passwords here, and I suppose it is not
correct.
Although this is may be a packaging bug in debian, but sudo-ldap can not use
/etc/ldap/ldap.conf as its own config since these are of different purpose.
If some can explain this unclear thing, I would be thankful too.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/sudo-users/attachments/20120601/9cda3b6b/attachment.bin>
More information about the sudo-users
mailing list