[sudo-users] LDAP and TLS certificates

[David Magda]

On Sep 27, 2018, at 17:47, Daniele Palumbo <daniele at retaggio.net> wrote:

> Any particular reason for which you would not use sssd?

When I started at my current company many years ago, SSSD hadn’t really been invented, or at least not included in Debian. So to hook up to LDAP we used the old school PADL /etc/libnss-ldap.conf, etc. This also called for using /etc/sudo-ldap.conf -> ldap/ldap.conf.

Then at some point Debian recommended going to nslcd. So instead of editing /etc/*ldap.conf, we now had /etc/nslcd.conf. In both cases all we really needed was a BASE and an URI line in a file and things worked. No changes to /etc/sudo-ldap.conf.

We’ve also upgraded many system in-place from Debian 5 to 6 to 7 to 8 to 9, and those probably still have the PADL software.

Going to SSSD didn’t really enter into the picture, since all we really need is for getent and sudo to work.

We have some recent proprietary software that insists on RHEL / CentOS 7, so we’re now looking into SSSD now a bit there. SSSD could be awesome, but I’ve never needed to look into it.