Bug 971013

Summary: sudo and nss_ldap use different ldap.conf
Product: Red Hat Enterprise Linux 7 Reporter: Aleš Mareček <amarecek>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED CURRENTRELEASE QA Contact: Eduard Benes <ebenes>
Severity: medium Docs Contact:
Priority: low    
Version: 7.0CC: dkopecek, ebenes, kzak, pmorgan, scott
Target Milestone: betaKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sudo-1.8.6p7-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 652687 Environment:
Last Closed: 2014-06-13 09:56:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 652687    
Bug Blocks: 652726, 702098, 878439    

Description Aleš Mareček 2013-06-05 13:14:43 UTC 
+++ This bug was initially created as a clone of Bug #652687 +++

Description of problem:
When configuring a system for ldap lookups in PAM, sudo requires admin to have both /etc/ldap.conf and /etc/nss_ldap.conf


Version-Release number of selected component (if applicable):
sudo-1.7.4p4

How reproducible:
always

Steps to Reproduce:
1. Configure system for ldap auth via nss_ldap (/etc/nss_ldap.conf)
2. Attempt to use sudo (fail)
3. cat /etc/nss_ldap.conf > /etc/ldap.conf
4. attempt to use sudo (win)
  
Actual results:
nss_ldap and sudo use different ldap config files

in 1st shell
------------
$ sudo -i
# ps -ef | grep <username>
# strace -o /tmp/strace.out -f -s99 -p <pid-of-bash>

in 2nd shell
------------
$ sudo uptime

in 1st shell
------------
CTRL-C to detach strace, then
review /tmp/strace.out:
# egrep 'ldap\.conf' /tmp/strace.out


Expected results:
nss_ldap and sudo should use same ldap configuration
(either /etc/nss_ldap.conf OR /etc/ldap.conf, but not both)

Additional info:

With %build of the spec file for sudo-1.7.4p4,
configure specifies "--with-ldap" but 
does not specify "--with-ldap-conf-file" 
to be consistent with nss_ldap.

The outcome is a single ldap configuration must exist in two places:
/etc/ldap.conf for sudo
/etc/nss_ldap.conf for nss_ldap
Comment 5 Ludek Smid 2014-06-13 09:56:29 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.