Bug 736672

Summary: nslcd fails to start if it has keywords as 'sudoers_base' and 'sudoers_debug'.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: nss-pam-ldapdAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: jgalipea, jhrozek, mniranja, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-08 16:38:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gowrishankar Rajaiyan 2011-09-08 11:55:57 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
# rpm -q sudo nss-pam-ldapd
sudo-1.7.4p5-7.el6.i686
nss-pam-ldapd-0.7.5-9.el6.i686

How reproducible:
Always

Steps to Reproduce:
1. Configure /etc/nslcd.conf as:
# grep ^[^#] /etc/nslcd.conf 
uid nslcd
gid ldap
sudoers_base ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
bindpw bind123
ssl no
tls_cacertfile /etc/ipa/ca.crt
bind_timelimit 5
timelimit 15
BASE dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
TLS_CACERTDIR /etc/ipa
uri ldap://bumblebee.lab.eng.pnq.redhat.com

2. service nslcd restart
3.
  
Actual results:
# service nslcd restart
Stopping nslcd:                                            [  OK  ]
Starting nslcd: nslcd: /etc/nslcd.conf:132: unknown keyword: 'sudoers_base'
                                                           [FAILED]

However, sudo works as expected if you have "sudoers_base" and "sudoers_debug" in /etc/nslcd.conf. 


Expected results:
nslcd should recognize these keywords.

As per the fix in https://bugzilla.redhat.com/show_bug.cgi?id=709235 sudo now searches the /etc/nslcd.conf file, hence the sudoers_base and sudoers_debug keywords should be recognized and nslcd should start without any failures.

Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=709235
Comment 2 Nalin Dahyabhai 2011-09-08 16:38:35 UTC 
sudo needs to have its own configuration file.  Depending on configuration files from other packages which may or may not be installed (and requiring nslcd so that its configuration file will be there, even if the system uses something else like SSSD) will inevitably break.