Implementing LDAP

Jim Wildman jim at rossberry.com
Sat Jan 25 14:44:34 EST 2003 

Thanks for the hack.  I'll try it out next week at work.

------------------------------------------------------------------------
Jim Wildman, CISSP, RHCE                                jim at rossberry.com
http://www.rossberry.com

On Sat, 25 Jan 2003, Aaron Spangler wrote:

> I am almost finished with my LDAP backend to SUDO.  It replaces the
> parsing files.  I wanted to get some feedback from the community to help
> collaborate if people are already doing something similar so that the
> schemas would be compatable.
> 
> I am thinking about two compile time directives.
> 
> The first includes LDAP plus the local /etc/sudoers file.  (Sort of Like
> /etc/passwd + NIS passwd)  The only problem with this option is that
> then you have to audit both a local configuration file and an LDAP store
> in order to verify that people haven't been given unauthorized access.
> Although this would be the nicest since one build could work in both
> standalone or LDAP or hybrid environments.  (so if permission was
> granted from either, you would have access).
> 
> The second mode disables the local mode.  I have played around with not
> even including any of the parsing files (lex.yy.c, parse.c, sudo.tab.c,
> etc).  We had one problem where the sudoers file was on a NFS share, and
> an user on one box used sudo to get local root and then modified the
> remote sudoers file and then granted themselves access to all systems.
> (Yes, - I know remote mounted sudoers is bad, but when you got several
> hundered machines - how else do you sync them up?)  So in this mode,
> there is NO LOCAL file.  Currently I am compiling the LDAP server URL in
> to the binary.  Maybe we could read /etc/ldap.conf so that it would be
> compatable with pam_ldap or nss_ldap that would be running on the same
> system.  Currently the pam_ldap code parser is under the GPL instead of
> the BSD-Style license, but I might have some code that I can contribue
> that would do essentially the same parsing.
> 
> Thoughts?  Ideas?  Please reply to the group.
> 
>  -Aaron
> 
> 
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list