[sudo-workers] sudoers_* ldap keywords

Todd C. Miller Todd.Miller at courtesan.com
Tue Nov 29 16:56:38 EST 2011


On Tue, 29 Nov 2011 14:35:39 +0100, Daniel Kopecek wrote:

> after moving to /etc/nslcd.conf as the shared ldap configuration 
> file, we've encountered a problem with nslcd's strict syntax checking 
> and sudo's special configuration keywords (sudoers_*). This problem 
> could be solved by adding those keywords to nslcd's dictionary of valid 
> keywords, adding an option to ignore unknown keywords to nslcd, or by 
> moving this keywords to sudo specific configuration files (sudoers or 
> sudo.conf).

Neither sudoers nor sudo.conf are really appropriate for this.
Sudoers should not be required for a pure LDAP setup and sudo.conf
is intended to be plugin agnostic.

You could use a separate ldap configuration file for sudo, though
this would mean duplicating the info in the main /etc/nslcd.conf
file.  Since there are multiple consumers of ldap.conf (or the
equivalent) each with their own settings it seems rather unfriendly
for nslcd to error out on unknown settings.

 - todd



More information about the sudo-workers mailing list