TLS patch for sudo-ldap

Aaron Spangler aaron at
Sat Feb 28 22:59:51 EST 2004


Your patch has now been included in Sudo.

> But i was thinking.
> If tls for some reason fails, missing/expired certificate or something,
> the ldap code will exit and use /etc/sudoers instead.
> Do you think this is the correct way?
> Or should it just log the event and continue without tls?

We use /etc/sudoers on the few machines as a desastor recovery mechanism if 
LDAP goes down.  It may not be the right thing for all environments, but 
users will probably not be able to even login to the system if LDAP is down.  
(I'm assuming that most environments using SSL for LDAP are doing so because 
they are using pam_ldap and want to protect users passwords from being 
forwarded over the wire in plaintext.)

> What does pam_ldap/nss_ldap do?
Pam_ldap is a Plugin Authentication Module that allows your operating system 
to use your LDAP password for your UNIX password.  (You can configure UNIX to 
ignore your old UNIX password or to allow either password).  The config file 
is /etc/pam.conf or /etc/pam.d (depending on your OS)

Nss_ldap is a Name server switch module that allows storing most of the 
/etc/hosts, password, group, netgroup, automounter, network files in LDAP 
similiar to the way NIS/YP works.

> Another thing: LDAP_CONFIG="/etc/ldap.conf" is hardcoded in ldap.c.
> At least Gentoo linux and FreeBSD stores the ldap.conf in /etc/openldap/
> and /usr/local/etc/openldap/.

You won't want to mix the config file with OpenLDAP's client config, rather it 
is designed to be shared by pam_ldap & nss_ldap (see  I 
don't know what the ramifications are with it sharing the ldap utilities 
config files.  (It may or may not be a problem).  You can of course modify 
the config file location by either modifying the Makefile or config.h.  The 
directive is LDAP_CONFIG.

> Could the proper location of ldap.conf be detected by autoconf?

I think pam_ldap & nss_ldap are provided on RedHat, Mandrake, Suse, and 
Debian.  On these OS's and also when built on Solaris & HP-UX,  the config 
file for the Operating System is /etc/ldap.conf.  AIX is something else 
because IBM's SecureWay product uses this filename.

I am thinking about having autoconf discover the ldap libraries and the LDAP 
specific directives.  (OpenLDAP requires one set of directives, Netscape's & 
Iplanet's SDK requires another, IBM SecureWay requires a third, etc).

 - Aaron

More information about the sudo-users mailing list