[sudo-workers] sudo+ldap and ldap.conf

Andrea Barisani lcars at gentoo.org
Tue Jun 14 14:40:24 EDT 2005

On Tue, Jun 14, 2005 at 12:39:06PM -0600, Todd C. Miller wrote:
> In message <20050614181346.GT3960 at sole.infis.univ.trieste.it>
> 	so spake Andrea Barisani (lcars):
> > Yes that was my workaround and indeed it is documented in README.LDAP but I
> > think you should stress more about this problem security_wise, simply showing
> > that you can redefine the conf doesn't show the security aspect of this issue
> > . 
> > 
> > Also don't you think that making sudo+ldap rootdn aware could be a good
> > option? (/etc/ldap.secret mode 600)
> It doesn't look like adding rootbinddn should be hard.  Am I correct
> in believing sudo just needs to look for rootbinddn in ldap.conf
> and if found use the password stored in /etc/ldap.secret?

Yes, actually rootbinddn (which is used only by processes with UID=0) is a
pretty useless feature pam_ldap/nss_ldap-wise (since usually when using passwd+ldap 
we want to auth the user with its own password), but it sounds perfect for sudo.

>  - todd

Andrea Barisani <lcars at gentoo.org>                            .*.
Gentoo Linux Infrastructure Developer                          V
                                                             (   )
GPG-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc   (   )
    0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E        ^^_^^
      "Pluralitas non est ponenda sine necessitate"

More information about the sudo-workers mailing list