TLS patch for sudo-ldap
Aaron Spangler
aaron at spangler.ods.org
Sat Feb 28 22:59:51 EST 2004
Gudleik,
Your patch has now been included in Sudo.
> But i was thinking.
> If tls for some reason fails, missing/expired certificate or something,
> the ldap code will exit and use /etc/sudoers instead.
> Do you think this is the correct way?
> Or should it just log the event and continue without tls?
We use /etc/sudoers on the few machines as a desastor recovery mechanism if
LDAP goes down. It may not be the right thing for all environments, but
users will probably not be able to even login to the system if LDAP is down.
(I'm assuming that most environments using SSL for LDAP are doing so because
they are using pam_ldap and want to protect users passwords from being
forwarded over the wire in plaintext.)
> What does pam_ldap/nss_ldap do?
Pam_ldap is a Plugin Authentication Module that allows your operating system
to use your LDAP password for your UNIX password. (You can configure UNIX to
ignore your old UNIX password or to allow either password). The config file
is /etc/pam.conf or /etc/pam.d (depending on your OS)
Nss_ldap is a Name server switch module that allows storing most of the
/etc/hosts, password, group, netgroup, automounter, network files in LDAP
similiar to the way NIS/YP works.
> Another thing: LDAP_CONFIG="/etc/ldap.conf" is hardcoded in ldap.c.
> At least Gentoo linux and FreeBSD stores the ldap.conf in /etc/openldap/
> and /usr/local/etc/openldap/.
>
You won't want to mix the config file with OpenLDAP's client config, rather it
is designed to be shared by pam_ldap & nss_ldap (see http://www.padl.com). I
don't know what the ramifications are with it sharing the ldap utilities
config files. (It may or may not be a problem). You can of course modify
the config file location by either modifying the Makefile or config.h. The
directive is LDAP_CONFIG.
> Could the proper location of ldap.conf be detected by autoconf?
I think pam_ldap & nss_ldap are provided on RedHat, Mandrake, Suse, and
Debian. On these OS's and also when built on Solaris & HP-UX, the config
file for the Operating System is /etc/ldap.conf. AIX is something else
because IBM's SecureWay product uses this filename.
I am thinking about having autoconf discover the ldap libraries and the LDAP
specific directives. (OpenLDAP requires one set of directives, Netscape's &
Iplanet's SDK requires another, IBM SecureWay requires a third, etc).
- Aaron
More information about the sudo-users
mailing list