[sudo-workers] sudoers_* ldap keywords

Stephen Gallagher sgallagh at redhat.com
Tue Nov 29 19:48:57 EST 2011

On Tue, 2011-11-29 at 16:56 -0500, Todd C. Miller wrote:
> On Tue, 29 Nov 2011 14:35:39 +0100, Daniel Kopecek wrote:
> > after moving to /etc/nslcd.conf as the shared ldap configuration 
> > file, we've encountered a problem with nslcd's strict syntax checking 
> > and sudo's special configuration keywords (sudoers_*). This problem 
> > could be solved by adding those keywords to nslcd's dictionary of valid 
> > keywords, adding an option to ignore unknown keywords to nslcd, or by 
> > moving this keywords to sudo specific configuration files (sudoers or 
> > sudo.conf).
> Neither sudoers nor sudo.conf are really appropriate for this.
> Sudoers should not be required for a pure LDAP setup and sudo.conf
> is intended to be plugin agnostic.
> You could use a separate ldap configuration file for sudo, though
> this would mean duplicating the info in the main /etc/nslcd.conf
> file.  Since there are multiple consumers of ldap.conf (or the
> equivalent) each with their own settings it seems rather unfriendly
> for nslcd to error out on unknown settings.

Well, just to amend to this, the fact that nslcd.conf has multiple
consumers is a bug in itself - one that we're working to eliminate with
SSSD by producing plugins for talking to sudo, automount, openssh-lpk
and similar services.

It really is an abuse of another application's configuration. Just
because it happens to be there doesn't necessarily mean it's correct for
your application either.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: </pipermail/sudo-workers/attachments/20111129/c1527a61/attachment.bin>

More information about the sudo-workers mailing list