[sudo-workers] SASL support for sudo+ldap
Tom McLaughlin
tmclaugh at sdf.lonestar.org
Wed Jul 11 22:21:19 EDT 2007
Hi, I recently started experimenting with moving the rules on my various
machines into my LDAP directory. I see that sudo only supports
anonymous and simple binds to LDAP which I have turned off in favor of
only authenticated connections via SASL. Attached is a rudimentary
patch to add some SASL / GSSAPI support and will cause sudo to respect
use_sasl in ldap.conf.
I am not a C coder though. I can at best read and mostly understand
what is going on. Fortunately I'm also aware of a BSDL nss_ldap
implementation [1] which I was able to grab some code from to patch sudo
with (against SUDO_1_6_9). It works fine for me save a crash when my
krb5 ticket has expired. If memory serves me nss_ldap causes the same
thing when a ticket has expired. The patch does not support stuff like
sasl_authid, krb5_ccname, or any of the other sasl options from the
config. Due to my aforementioned lack of skill and the fact that the
patch "works for me" as is I probably won't due much more with it. If
someone wants to finish it up then have at it.
[1] http://perforce.freebsd.org/fileViewer.cgi?FSPC=//depot/projects/soc2006/nss%5fldap%5fcached/src/lib/nss%5fldap/ldapconn.c&REV=17
tom
--
| tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org |
| FreeBSD http://www.FreeBSD.org |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-sasl.diff
Type: text/x-patch
Size: 4137 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20070711/8d01c1a4/attachment.bin>
More information about the sudo-workers
mailing list