[sudo-workers] sudo+ldap and ldap.conf
Andrea Barisani
lcars at gentoo.org
Tue Jun 14 04:56:36 EDT 2005
Hi,
quoting README.LDAP: "The /etc/ldap.conf file is meant to be shared between
sudo, pam_ldap, nss_ldap", that's fine in theory but it also means that every
local user is able to see the ldap'ized /etc/sudoers settings while normally
/etc/sudoers is not readable by the user.
Having ldap.conf not readable is not an option when it's used with pam_ldap
and especially nss_ldap. So probably the only way to make sudo ldap settings
not readable by users is pointing it to a different ldap.conf (ldap.conf-sudo
with a specific binddn and bindpw) changing -DLDAP_CONFIG.
Do you agree that this actually decreases security and that it should be
handled differently or at least specified in the docs (maybe pointing the
ldap.conf-sudo hack) ?
Of course feel free to slap me on the face if I'm totally missing something
and there is a way to do what I'm seeking ;).
Cheers
P.S.
thx for adding ldap to sudo! it was the last missing bit for having a
complete ldap'ized system.
--
Andrea Barisani <lcars at gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
( )
GPG-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
More information about the sudo-workers
mailing list