[sudo-workers] sudoers_* ldap keywords
Stephen Gallagher
sgallagh at redhat.com
Tue Nov 29 19:48:57 EST 2011
On Tue, 2011-11-29 at 16:56 -0500, Todd C. Miller wrote:
> On Tue, 29 Nov 2011 14:35:39 +0100, Daniel Kopecek wrote:
>
> > after moving to /etc/nslcd.conf as the shared ldap configuration
> > file, we've encountered a problem with nslcd's strict syntax checking
> > and sudo's special configuration keywords (sudoers_*). This problem
> > could be solved by adding those keywords to nslcd's dictionary of valid
> > keywords, adding an option to ignore unknown keywords to nslcd, or by
> > moving this keywords to sudo specific configuration files (sudoers or
> > sudo.conf).
>
> Neither sudoers nor sudo.conf are really appropriate for this.
> Sudoers should not be required for a pure LDAP setup and sudo.conf
> is intended to be plugin agnostic.
>
> You could use a separate ldap configuration file for sudo, though
> this would mean duplicating the info in the main /etc/nslcd.conf
> file. Since there are multiple consumers of ldap.conf (or the
> equivalent) each with their own settings it seems rather unfriendly
> for nslcd to error out on unknown settings.
Well, just to amend to this, the fact that nslcd.conf has multiple
consumers is a bug in itself - one that we're working to eliminate with
SSSD by producing plugins for talking to sudo, automount, openssh-lpk
and similar services.
It really is an abuse of another application's configuration. Just
because it happens to be there doesn't necessarily mean it's correct for
your application either.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: </pipermail/sudo-workers/attachments/20111129/c1527a61/attachment.bin>
More information about the sudo-workers
mailing list