[sudo-workers] sudo+ldap and ldap.conf

Andrea Barisani lcars at gentoo.org
Tue Jun 14 04:56:36 EDT 2005


quoting README.LDAP: "The /etc/ldap.conf file is meant to be shared between
sudo, pam_ldap, nss_ldap", that's fine in theory but it also means that every
local user is able to see the ldap'ized /etc/sudoers settings while normally
/etc/sudoers is not readable by the user.

Having ldap.conf not readable is not an option when it's used with pam_ldap
and especially nss_ldap. So probably the only way to make sudo ldap settings 
not readable by users is pointing it to a different ldap.conf (ldap.conf-sudo 
with a specific binddn and bindpw) changing -DLDAP_CONFIG.

Do you agree that this actually decreases security and that it should be
handled differently or at least specified in the docs (maybe pointing the
ldap.conf-sudo hack) ?

Of course feel free to slap me on the face if I'm totally missing something
and there is a way to do what I'm seeking ;).


thx for adding ldap to sudo! it was the last missing bit for having a
complete ldap'ized system.

Andrea Barisani <lcars at gentoo.org>                            .*.
Gentoo Linux Infrastructure Developer                          V
                                                             (   )
GPG-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc   (   )
    0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E        ^^_^^
      "Pluralitas non est ponenda sine necessitate"

More information about the sudo-workers mailing list