Implementing LDAP

Aaron Spangler as at
Sat Jan 25 14:42:31 EST 2003

I am almost finished with my LDAP backend to SUDO.  It replaces the
parsing files.  I wanted to get some feedback from the community to help
collaborate if people are already doing something similar so that the
schemas would be compatable.

I am thinking about two compile time directives.

The first includes LDAP plus the local /etc/sudoers file.  (Sort of Like
/etc/passwd + NIS passwd)  The only problem with this option is that
then you have to audit both a local configuration file and an LDAP store
in order to verify that people haven't been given unauthorized access.
Although this would be the nicest since one build could work in both
standalone or LDAP or hybrid environments.  (so if permission was
granted from either, you would have access).

The second mode disables the local mode.  I have played around with not
even including any of the parsing files (lex.yy.c, parse.c,,
etc).  We had one problem where the sudoers file was on a NFS share, and
an user on one box used sudo to get local root and then modified the
remote sudoers file and then granted themselves access to all systems.
(Yes, - I know remote mounted sudoers is bad, but when you got several
hundered machines - how else do you sync them up?)  So in this mode,
there is NO LOCAL file.  Currently I am compiling the LDAP server URL in
to the binary.  Maybe we could read /etc/ldap.conf so that it would be
compatable with pam_ldap or nss_ldap that would be running on the same
system.  Currently the pam_ldap code parser is under the GPL instead of
the BSD-Style license, but I might have some code that I can contribue
that would do essentially the same parsing.

Thoughts?  Ideas?  Please reply to the group.


More information about the sudo-users mailing list