[sudo-users] sudo-ldap and sasl/external

Vasiliy Molostov molostoff at gmail.com
Thu May 31 23:09:57 EDT 2012


I have a question on how to configure sudo-ldap with SASL/EXTERNAL 
authentication, as used by ldap-utils (such as ldapsearch -Y EXTERNAL does)?

I have tried to do the same with sudo-ldap but was unsuccessful, since it 
always try to use binddn and bindpw, and if these are not specified sudo uses 
anonymous bind to ldap server. This behavior makes  connection to ldapi:/// 
without specifying ldap passwords unsuccessful, and if ldap server does not 
honor to reply to anonymous queries about sudoers, it makes all things worse.

I have tried to chmod 400 /etc/sudo-ldap.conf file owned by root and a regular 
user was able to execute sudo and sudo itself was capable to get these 
settings to read. So as I understand sodo is capable to suid and make 
authenticated bind with 'simple' SASL method ('simple' sasl mech refers to 
ldap-utils method mostly applicable when connecting to ldapi:///)

If some one can help here I will be very happy, thanks!

A second question I have is more distribution related: in Ubuntu precise sudo-
ldap package installs /etc/sudo-ldap.conf as a soft link to 
/etc/ldap/ldap.conf and provides this as its own configuration file. 
The /etc/ldap/ldap.conf file that currently holds system wide settings to 
ldap-utils (client tools) and thus it is system wide readable. At the same 
time sudo-ldap stores its secure passwords here, and I suppose it is not 

Although this is may be a packaging bug in debian, but sudo-ldap can not use 
/etc/ldap/ldap.conf as its own config since these are of different purpose.

If some can explain this unclear thing, I would be thankful too.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/sudo-users/attachments/20120601/9cda3b6b/attachment.bin>

More information about the sudo-users mailing list