[sudo-workers] SASL support for sudo+ldap

Tom McLaughlin tmclaugh at sdf.lonestar.org
Wed Jul 11 22:21:19 EDT 2007

Hi, I recently started experimenting with moving the rules on my various
machines into my LDAP directory.  I see that sudo only supports
anonymous and simple binds to LDAP which I have turned off in favor of
only authenticated connections via SASL.  Attached is a rudimentary
patch to add some SASL / GSSAPI support and will cause sudo to respect
use_sasl in ldap.conf.

I am not a C coder though.  I can at best read and mostly understand
what is going on.  Fortunately I'm also aware of a BSDL nss_ldap
implementation [1] which I was able to grab some code from to patch sudo
with (against SUDO_1_6_9).  It works fine for me save a crash when my
krb5 ticket has expired.  If memory serves me nss_ldap causes the same
thing when a ticket has expired.  The patch does not support stuff like
sasl_authid, krb5_ccname, or any of the other sasl options from the
config.  Due to my aforementioned lack of skill and the fact that the
patch "works for me" as is I probably won't due much more with it.  If
someone wants to finish it up then have at it.

[1] http://perforce.freebsd.org/fileViewer.cgi?FSPC=//depot/projects/soc2006/nss%5fldap%5fcached/src/lib/nss%5fldap/ldapconn.c&REV=17

| tmclaugh at sdf.lonestar.org             tmclaugh at FreeBSD.org |
| FreeBSD                                   http://www.FreeBSD.org |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-sasl.diff
Type: text/x-patch
Size: 4137 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20070711/8d01c1a4/attachment.bin>

More information about the sudo-workers mailing list