Implementing LDAP

Christopher Sheldon christopher.sheldon at
Mon Jan 27 13:48:14 EST 2003


What about a runtime directive similar to Solaris's (and other's)
nsswitch.conf(4) file? The sudoers file could have a directive that
tells it if it needs to check ldap only, local file only or both and
which order has precedence:

sudo-auth: ldap files

or something similar. Does this inherently compromise security
besides that local write access to the file permits a root user to
remove LDAP from the authentication scheme?

What about having this information stored in the LDAP server
and if the binary is compiled "--with-ldap", then it looks to the
LDAP server for the (what would you call that?) sudoers file
switch information? This would still permit control of precedence,
but place it in a more secure location.


Aaron Spangler wrote:

> I am almost finished with my LDAP backend to SUDO.  It replaces the
> parsing files.  I wanted to get some feedback from the community to
> help
> collaborate if people are already doing something similar so that the
> schemas would be compatable.
> I am thinking about two compile time directives.
> The first includes LDAP plus the local /etc/sudoers file.  (Sort of
> Like
> /etc/passwd + NIS passwd)  The only problem with this option is that
> then you have to audit both a local configuration file and an LDAP
> store
> in order to verify that people haven't been given unauthorized access.
> Although this would be the nicest since one build could work in both
> standalone or LDAP or hybrid environments.  (so if permission was
> granted from either, you would have access).
> The second mode disables the local mode.  I have played around with
> not
> even including any of the parsing files (lex.yy.c, parse.c,
> etc).  We had one problem where the sudoers file was on a NFS share,
> and
> an user on one box used sudo to get local root and then modified the
> remote sudoers file and then granted themselves access to all systems.
> (Yes, - I know remote mounted sudoers is bad, but when you got several
> hundered machines - how else do you sync them up?)  So in this mode,
> there is NO LOCAL file.  Currently I am compiling the LDAP server URL
> in
> to the binary.  Maybe we could read /etc/ldap.conf so that it would be
> compatable with pam_ldap or nss_ldap that would be running on the same
> system.  Currently the pam_ldap code parser is under the GPL instead
> of
> the BSD-Style license, but I might have some code that I can contribue
> that would do essentially the same parsing.
> Thoughts?  Ideas?  Please reply to the group.
>  -Aaron
> ____________________________________________________________
> sudo-users mailing list <sudo-users at>
> For list information, options, or to unsubscribe, visit:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/sudo-users/attachments/20030127/6e4cceef/attachment.html>

More information about the sudo-users mailing list