Sudo and LDAP
| This forum is proudly powered by Scientific Linux 6 | SL website Download SL Help Search Members |
| Welcome Guest ( Log In | Register ) | Resend Validation Email |
   |
Sudo and LDAP| agaffney |
Posted: Nov 14 2011, 09:59 PM
|
|
|
SLF Newbie Group: Members Posts: 1 Member No.: 1032 Joined: 14-November 11  |
I'm working on a large migration from CentOS 5.x to Scientific 6.1. The only part I haven't yet figured out is how to make the sudo LDAP policies work. It seems there is a lot of conflicting information and problems with the packages.
Here's the problem. With the latest versions of the sudo and nslcd package, there appears to be an unresolvable conflict. The sudo binary is looking at /etc/nslcd.conf to find the "sudoers_base" option to know where in LDAP to look for policies. However, the nslcd service refuses to start with that line in /etc/nslcd.conf, because it does not recognize the option. This conflict makes it impossible to use both LDAP for NSS/PAM *and* sudo LDAP policies. It seems that there has been some contention over this. Originally, sudo looked at /etc/ldap.conf. Then it was switched to /etc/nss_ldap.conf. With the latest change, it was switched to /etc/nslcd.conf. Here is the RHEL errata for the latest change: https://rhn.redhat.com/errata/RHBA-2011-1175.html Am I missing something obvious here, or has RHEL really screwed the pooch on this one? |
|
|
||
| DisabledLeopard |
Posted: Dec 6 2011, 03:36 AM
|
|
|
SLF Newbie Group: Members Posts: 2 Member No.: 1093 Joined: 6-December 11 |
This is a real bummer for me as it effectively stalls my progress in preparing a Sci Linux 6.1 based image - I'm tempted to just get the srpm and rebuild it modifying myself since the ldap file is a configure option of sudo.
Seems like a glaringly obvious omission by RHEL QA that the sudo and nss-pam-ldapd packaged both get updated (including man pages) to specify that sudo will use /etc/nslcd.conf yet nslcd is incompatible with sudo options AND sudo will not fall back to using /etc/ldap.conf or /etc/openldap/ldap.conf (both of which DO support sudo options). Anyone got a better work around than rebuilding sudo ourselves?? (I can post my modified RPM if wanted) |
|
|
||
| DisabledLeopard |
Posted: Dec 7 2011, 05:41 AM
|
|
|
SLF Newbie Group: Members Posts: 2 Member No.: 1093 Joined: 6-December 11 |
I've raised this with Redhat since it doesn't appear in their bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=760843 Also CentOS bugzilla of same: http://bugs.centos.org/view.php?id=5200 |
|
|
|
||
| herson |
Posted: Feb 15 2012, 06:12 PM
|
|
|
SLF Newbie Group: Members Posts: 1 Member No.: 1291 Joined: 15-February 12 |
I also have made a built from source rpm, just changed:
--with-ldap-conf-file=/etc/nslcd.conf to --with-ldap-conf-file=/etc/pam_ldap.conf after installing new rebuilt rpm package, I'm getting: slapd[4470]: conn=1488 fd=17 closed (idletimeout) on /var/slapd/slapd.log and $ sudo bash sudo: ldap_sasl_bind_s(): Can't contact LDAP server sudo: no valid sudoers sources found, quitting any advice? |
|
|
|
||
 |
|