LDAP on HPUX-IPF (was RE: Where do I get the LDAP patchesforsudo.)

Galen Johnson Galen.Johnson at sas.com
Wed May 12 09:32:35 EDT 2004


Another thing...looking at the script it appears that if it finds NOPASSWD anywhere in option that it sets the entire entry !authenticate.  Am I wrong in thinking that this should be considered incorrect behavior?  You should be able to set certain entries NOPASSWD and have some with PASSWD (according to the man page and I do curently use this functionality)...I'm also unclear on how it associates the NOEXEC entries.

=G=

-----Original Message-----
From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On Behalf Of Galen Johnson
Sent: Wednesday, May 12, 2004 9:18 AM
To: Aaron Spangler
Cc: sudo-users at sudo.ws
Subject: RE: LDAP on HPUX-IPF (was RE: Where do I get the LDAP patchesforsudo.)


Hmmm...well here's something I find unfortunate...when I went to add this to my ldif that was created by the sudoers2ldif script, I had nothing listed for the defaults which is not to say that was the case in the local sudoers file.  I'm gonna have a look at the script.

=G=

-----Original Message-----
From: Aaron Spangler [mailto:as at insight.rr.com] 
Sent: Wednesday, May 12, 2004 8:38 AM
To: Galen Johnson
Cc: sudo-users at sudo.ws
Subject: Re: LDAP on HPUX-IPF (was RE: Where do I get the LDAP patches forsudo.)


Galen, There is an option called 'ignore_local_sudoers'.   If it is your
cn=defaults objects, then sudo will not read /etc/sudoers even if there is
not a match in LDAP.  If however the LDAP server is unavailable, then sudo
will attempt to read /etc/sudoers (which you can place a few entries in for
Disaster recovery for example).  Kind of nice how the feature worked out.

 -Aaron

----- Original Message -----
From: "Galen Johnson" <Galen.Johnson at sas.com>
To: "Aaron Spangler" <as at insight.rr.com>
Cc: <sudo-users at sudo.ws>
Sent: Tuesday, May 11, 2004 8:09 PM
Subject: RE: LDAP on HPUX-IPF (was RE: Where do I get the LDAP patches
forsudo.)


Hey Aaron,

I'll hopefully know better tomorrow if I'm going to be able to talk to our
AD server ok (like pulling your own teeth).  One thing, though.  I noticed
that on the todo you had indicated you were working on disabling local
sudoers.  Any progress on that front?  It would make my security guys very
happy (I am assuming that it looks at both for now).

=G=


-----Original Message-----
From: sudo-users-bounces at sudo.ws on behalf of Aaron Spangler
Sent: Wed 4/28/2004 3:06 PM
To: Galen Johnson
Cc: sudo-users at sudo.ws
Subject: Re: LDAP on HPUX-IPF (was RE: Where do I get the LDAP patches
forsudo.)

Thanks for the build tip.  I gave you credit in 'README.LDAP'.

 -Aaron

Galen Johnson wrote:

> Hey Aaron,
>
> I just did a make on HPUX 11.23 using gcc 3.  I had to do the following
(using the README.LDAP with minor mods).
>
> I had to configure with the following:
>
> CFLAGS="-D__10_10_compat_code" LDFLAGS="-L/opt/ldapux/lib"
./configure --with-ldap --with-pam
>
> You'll notice that I didn't have to use the includes (since they weren't
under /opt/ldapux and noone knew where they might be)
>
> I then had to comment out the #define HAVE_LDAP_START_TLS_S in config.h
along with the other changes recommended in the readme.  It might be useful
to have a --with-ldap-tls config option to enable this functionality rather
than defaulting to enabled).
>
> Until our AD group can add the schema I won't know how successful I've
been but I was at least able to compile it (which is usually half the
battle).
>
> I'll keep you posted.  (it'd be nice to get some idea of when 1.6.8 is
planning to be released so I don't have to grab from CVS)
>
> =G=
>
> -----Original Message-----
> From: Aaron Spangler [mailto:aaron at spangler.ods.org]
> Sent: Saturday, April 24, 2004 7:35 PM
> To: Galen Johnson
> Cc: as at insight.rr.com; Aaron Spangler; Leadbeter Jim; sudo-users at sudo.ws
> Subject: Re: Where do I get the LDAP patches for sudo.
>
> Any generic ldap client libraries should be fine communicating with LDAP.
> If you wanted to either do ldap_start_tls or LDAP over SSL(aka TLS) then
> you would want to use different client libraries.  Also some modifications
> would be needed to be done to Active Directory. (Such as installing a
> certificate.)
>
>  - Aaron
>
> >
> > It might also be worthwhile to note that the primary ldap server will be
=
> > MS Active Directory but hopefully the calls should work ok.
> >
> > =3DG=3D
> >
> >
> > -----Original Message-----
> > From: Aaron Spangler [mailto:as at insight.rr.com]
> > Sent: Fri 4/23/2004 3:14 PM
> > To: Galen Johnson; Aaron Spangler; Leadbeter, Jim
> > Cc: sudo-users at sudo.ws
> > Subject: Re: Where do I get the LDAP patches for sudo.
> > =20
> > I've never done Itanium before.  (I've been an HP-UX junky since 6.5 & =
> > HP-UX=20
> > 8.  I haven't used it much since 11.11 came out though).
> >
> > If I remember right, ldapux installs itself in /opt (but I could be =
> > wrong).
> > That said, it should work if you include /opt/ldapux/include & =
> > /opt/ldapux/
> > lib . (The paths might be different, I am just guessing at this point.)
> >
> > Please let me know if you run into any problems.
> > I would be glad to help in any way I can.
> >
> >
> >  -Aaron
> >
> >
> > On Saturday 24 April 2004 01:52 am, Galen Johnson wrote:
> >
> > Do you know if this will compile on HPUX/IPF (Itanium) with the
ldapux=20
> > component of HP?  I'll find out Monday, but I was jsut hoping you might
=
> > know=20
> > of any gotchas.
> >
> >
> >
> >

____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users





____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users




More information about the sudo-users mailing list