Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> Sudo and LDAP
agaffney
 Posted: Nov 14 2011, 09:59 PM
Quote Post


SLF Newbie


Group: Members
Posts: 1
Member No.: 1032
Joined: 14-November 11









I'm working on a large migration from CentOS 5.x to Scientific 6.1. The only part I haven't yet figured out is how to make the sudo LDAP policies work. It seems there is a lot of conflicting information and problems with the packages.

Here's the problem. With the latest versions of the sudo and nslcd package, there appears to be an unresolvable conflict. The sudo binary is looking at /etc/nslcd.conf to find the "sudoers_base" option to know where in LDAP to look for policies. However, the nslcd service refuses to start with that line in /etc/nslcd.conf, because it does not recognize the option. This conflict makes it impossible to use both LDAP for NSS/PAM *and* sudo LDAP policies.

It seems that there has been some contention over this. Originally, sudo looked at /etc/ldap.conf. Then it was switched to /etc/nss_ldap.conf. With the latest change, it was switched to /etc/nslcd.conf.

Here is the RHEL errata for the latest change:

https://rhn.redhat.com/errata/RHBA-2011-1175.html

Am I missing something obvious here, or has RHEL really screwed the pooch on this one?
PM
^
DisabledLeopard
 Posted: Dec 6 2011, 03:36 AM
Quote Post


SLF Newbie


Group: Members
Posts: 2
Member No.: 1093
Joined: 6-December 11









This is a real bummer for me as it effectively stalls my progress in preparing a Sci Linux 6.1 based image - I'm tempted to just get the srpm and rebuild it modifying myself since the ldap file is a configure option of sudo.

Seems like a glaringly obvious omission by RHEL QA that the sudo and nss-pam-ldapd packaged both get updated (including man pages) to specify that sudo will use /etc/nslcd.conf yet nslcd is incompatible with sudo options AND sudo will not fall back to using /etc/ldap.conf or /etc/openldap/ldap.conf (both of which DO support sudo options).

Anyone got a better work around than rebuilding sudo ourselves??

(I can post my modified RPM if wanted)
PMEmail Poster
^
DisabledLeopard
 Posted: Dec 7 2011, 05:41 AM
Quote Post


SLF Newbie


Group: Members
Posts: 2
Member No.: 1093
Joined: 6-December 11









I've raised this with Redhat since it doesn't appear in their bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=760843

Also CentOS bugzilla of same: http://bugs.centos.org/view.php?id=5200
PMEmail Poster
^
herson
 Posted: Feb 15 2012, 06:12 PM
Quote Post


SLF Newbie


Group: Members
Posts: 1
Member No.: 1291
Joined: 15-February 12









I also have made a built from source rpm, just changed:

--with-ldap-conf-file=/etc/nslcd.conf

to

--with-ldap-conf-file=/etc/pam_ldap.conf

after installing new rebuilt rpm package, I'm getting:

slapd[4470]: conn=1488 fd=17 closed (idletimeout)

on /var/slapd/slapd.log

and

$ sudo bash
sudo: ldap_sasl_bind_s(): Can't contact LDAP server
sudo: no valid sudoers sources found, quitting

any advice?
PM
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll