[sudo-workers] sudo+ldap and ldap.conf

Aaron Spangler aaron777 at gmail.com
Tue Jun 14 14:09:53 EDT 2005


There are several options:

Option 1:
On systems with nscd (such as Linux & Solaris), NSCD starts up as root
on boot, so you can chmod 600 /etc/ldap.conf and even non-root
processes will be able to query Name service information (via libc->
getXXbyYY -> nscd (root out of process) -> nss_ldap).  Also pam_ldap
is usually called as root anyway via daemon processes.  So you can
have a perfectly happy system that uses the built in nscd api to get
the name service information.
The only drawback is that if nscd dies the system will have problems. 
I have seen many solaris systems that run for months without reboot
using nscd exclusively.  Another *slight* drawback is that nscd
typically provides information for three types of entries, user,
group, and host.  If you are using netgroups via ldap, then you might
need to do the split file approach.

Option 2: 
If you are not using nss_ldap (but only using pam_ldap) you can still
have the file 600 since pam generally requires all authentications be
done by root (to access /etc/shadow or equivilent for example).  We
have one very large client with about 650 systems running like this.

Option 3:
Use the split file approach you already documented earlier via the 
-DLDAP_CONFIG option.

I hope this information helps.

 -Aaron


On 6/14/05, Andrea Barisani <lcars at gentoo.org> wrote:
> 
> Hi,
> 
> quoting README.LDAP: "The /etc/ldap.conf file is meant to be shared between
> sudo, pam_ldap, nss_ldap", that's fine in theory but it also means that every
> local user is able to see the ldap'ized /etc/sudoers settings while normally
> /etc/sudoers is not readable by the user.
> 
> Having ldap.conf not readable is not an option when it's used with pam_ldap
> and especially nss_ldap. So probably the only way to make sudo ldap settings
> not readable by users is pointing it to a different ldap.conf (ldap.conf-sudo
> with a specific binddn and bindpw) changing -DLDAP_CONFIG.
> 
> Do you agree that this actually decreases security and that it should be
> handled differently or at least specified in the docs (maybe pointing the
> ldap.conf-sudo hack) ?
> 
> Of course feel free to slap me on the face if I'm totally missing something
> and there is a way to do what I'm seeking ;).
> 
> Cheers
> 
> P.S.
> thx for adding ldap to sudo! it was the last missing bit for having a
> complete ldap'ized system.
> 
> --
> Andrea Barisani <lcars at gentoo.org>                            .*.
> Gentoo Linux Infrastructure Developer                          V
>                                                              (   )
> GPG-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc   (   )
>     0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E        ^^_^^
>       "Pluralitas non est ponenda sine necessitate"
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers
>




More information about the sudo-workers mailing list