Bug 652687

Summary: sudo and nss_ldap use different ldap.conf
Product: [Fedora] Fedora Reporter: Paul Morgan <pmorgan>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dkopecek, kzak, scott
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sudo-1.7.4p4-4.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 652726 971013 (view as bug list) Environment:
Last Closed: 2010-12-02 19:12:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 652726, 702098, 971013    

Description Paul Morgan 2010-11-12 14:47:15 UTC 
Description of problem:
When configuring a system for ldap lookups in PAM, sudo requires admin to have both /etc/ldap.conf and /etc/nss_ldap.conf


Version-Release number of selected component (if applicable):
sudo-1.7.4p4

How reproducible:
always

Steps to Reproduce:
1. Configure system for ldap auth via nss_ldap (/etc/nss_ldap.conf)
2. Attempt to use sudo (fail)
3. cat /etc/nss_ldap.conf > /etc/ldap.conf
4. attempt to use sudo (win)
  
Actual results:
nss_ldap and sudo use different ldap config files

in 1st shell
------------
$ sudo -i
# ps -ef | grep <username>
# strace -o /tmp/strace.out -f -s99 -p <pid-of-bash>

in 2nd shell
------------
$ sudo uptime

in 1st shell
------------
CTRL-C to detach strace, then
review /tmp/strace.out:
# egrep 'ldap\.conf' /tmp/strace.out


Expected results:
nss_ldap and sudo should use same ldap configuration
(either /etc/nss_ldap.conf OR /etc/ldap.conf, but not both)

Additional info:

With %build of the spec file for sudo-1.7.4p4,
configure specifies "--with-ldap" but 
does not specify "--with-ldap-conf-file" 
to be consistent with nss_ldap.

The outcome is a single ldap configuration must exist in two places:
/etc/ldap.conf for sudo
/etc/nss_ldap.conf for nss_ldap
Comment 1 Paul Morgan 2010-11-12 14:48:51 UTC 
another way to check configure-time options:

[root@x200 ~]# sudo -V | egrep ldap.conf
ldap.conf path: /etc/ldap.conf
Comment 3 Daniel Kopeček 2010-11-16 11:17:19 UTC 
I wonder why this change was made in nss_ldap/f14. We need to change the secret file path too.
Comment 4 Fedora Update System 2010-11-30 12:06:08 UTC 
sudo-1.7.4p4-4.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/sudo-1.7.4p4-4.fc14
Comment 5 Fedora Update System 2010-11-30 22:13:56 UTC 
sudo-1.7.4p4-4.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sudo'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/sudo-1.7.4p4-4.fc14
Comment 6 Fedora Update System 2010-12-02 19:12:16 UTC 
sudo-1.7.4p4-4.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.