[sudo-workers] sudo+ldap and ldap.conf
lcars at gentoo.org
Tue Jun 14 14:40:24 EDT 2005
On Tue, Jun 14, 2005 at 12:39:06PM -0600, Todd C. Miller wrote:
> In message <20050614181346.GT3960 at sole.infis.univ.trieste.it>
> so spake Andrea Barisani (lcars):
> > Yes that was my workaround and indeed it is documented in README.LDAP but I
> > think you should stress more about this problem security_wise, simply showing
> > that you can redefine the conf doesn't show the security aspect of this issue
> > .
> > Also don't you think that making sudo+ldap rootdn aware could be a good
> > option? (/etc/ldap.secret mode 600)
> It doesn't look like adding rootbinddn should be hard. Am I correct
> in believing sudo just needs to look for rootbinddn in ldap.conf
> and if found use the password stored in /etc/ldap.secret?
Yes, actually rootbinddn (which is used only by processes with UID=0) is a
pretty useless feature pam_ldap/nss_ldap-wise (since usually when using passwd+ldap
we want to auth the user with its own password), but it sounds perfect for sudo.
> - todd
Andrea Barisani <lcars at gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
GPG-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
More information about the sudo-workers