Description of problem:
When configuring a system for ldap lookups in PAM, sudo requires admin to have both /etc/ldap.conf and /etc/nss_ldap.conf
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure system for ldap auth via nss_ldap (/etc/nss_ldap.conf)
2. Attempt to use sudo (fail)
3. cat /etc/nss_ldap.conf > /etc/ldap.conf
4. attempt to use sudo (win)
nss_ldap and sudo use different ldap config files
in 1st shell
$ sudo -i
# ps -ef | grep <username>
# strace -o /tmp/strace.out -f -s99 -p <pid-of-bash>
in 2nd shell
$ sudo uptime
in 1st shell
CTRL-C to detach strace, then
# egrep 'ldap\.conf' /tmp/strace.out
nss_ldap and sudo should use same ldap configuration
(either /etc/nss_ldap.conf OR /etc/ldap.conf, but not both)
With %build of the spec file for sudo-1.7.4p4,
configure specifies "--with-ldap" but
does not specify "--with-ldap-conf-file"
to be consistent with nss_ldap.
The outcome is a single ldap configuration must exist in two places:
/etc/ldap.conf for sudo
/etc/nss_ldap.conf for nss_ldap
another way to check configure-time options:
[root@x200 ~]# sudo -V | egrep ldap.conf
ldap.conf path: /etc/ldap.conf
I wonder why this change was made in nss_ldap/f14. We need to change the secret file path too.
sudo-1.7.4p4-4.fc14 has been submitted as an update for Fedora 14.
sudo-1.7.4p4-4.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update sudo'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/sudo-1.7.4p4-4.fc14
sudo-1.7.4p4-4.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.