Implementing LDAP

Christopher Sheldon christopher.sheldon at agile.com
Mon Jan 27 13:48:14 EST 2003 

Aaron--

What about a runtime directive similar to Solaris's (and other's)
nsswitch.conf(4) file? The sudoers file could have a directive that
tells it if it needs to check ldap only, local file only or both and
which order has precedence:

sudo-auth: ldap files

or something similar. Does this inherently compromise security
besides that local write access to the file permits a root user to
remove LDAP from the authentication scheme?

What about having this information stored in the LDAP server
and if the binary is compiled "--with-ldap", then it looks to the
LDAP server for the (what would you call that?) sudoers file
switch information? This would still permit control of precedence,
but place it in a more secure location.

Chris.


Aaron Spangler wrote:

> I am almost finished with my LDAP backend to SUDO.  It replaces the
> parsing files.  I wanted to get some feedback from the community to
> help
> collaborate if people are already doing something similar so that the
> schemas would be compatable.
>
> I am thinking about two compile time directives.
>
> The first includes LDAP plus the local /etc/sudoers file.  (Sort of
> Like
> /etc/passwd + NIS passwd)  The only problem with this option is that
> then you have to audit both a local configuration file and an LDAP
> store
> in order to verify that people haven't been given unauthorized access.
>
> Although this would be the nicest since one build could work in both
> standalone or LDAP or hybrid environments.  (so if permission was
> granted from either, you would have access).
>
> The second mode disables the local mode.  I have played around with
> not
> even including any of the parsing files (lex.yy.c, parse.c,
> sudo.tab.c,
> etc).  We had one problem where the sudoers file was on a NFS share,
> and
> an user on one box used sudo to get local root and then modified the
> remote sudoers file and then granted themselves access to all systems.
>
> (Yes, - I know remote mounted sudoers is bad, but when you got several
>
> hundered machines - how else do you sync them up?)  So in this mode,
> there is NO LOCAL file.  Currently I am compiling the LDAP server URL
> in
> to the binary.  Maybe we could read /etc/ldap.conf so that it would be
>
> compatable with pam_ldap or nss_ldap that would be running on the same
>
> system.  Currently the pam_ldap code parser is under the GPL instead
> of
> the BSD-Style license, but I might have some code that I can contribue
>
> that would do essentially the same parsing.
>
> Thoughts?  Ideas?  Please reply to the group.
>
>  -Aaron
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/sudo-users/attachments/20030127/6e4cceef/attachment.html>

More information about the sudo-users mailing list