Bug 652687 - sudo and nss_ldap use different ldap.conf
Summary: sudo and nss_ldap use different ldap.conf
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sudo
Version: 14
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Daniel Kopeček
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 652726 702098 971013
TreeView+ depends on / blocked
 
Reported: 2010-11-12 14:47 UTC by Paul Morgan
Modified: 2013-06-05 13:14 UTC (History)
3 users (show)

Fixed In Version: sudo-1.7.4p4-4.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 652726 971013 (view as bug list)
Environment:
Last Closed: 2010-12-02 19:12:22 UTC
Type: ---


Attachments (Terms of Use)

Description Paul Morgan 2010-11-12 14:47:15 UTC
Description of problem:
When configuring a system for ldap lookups in PAM, sudo requires admin to have both /etc/ldap.conf and /etc/nss_ldap.conf


Version-Release number of selected component (if applicable):
sudo-1.7.4p4

How reproducible:
always

Steps to Reproduce:
1. Configure system for ldap auth via nss_ldap (/etc/nss_ldap.conf)
2. Attempt to use sudo (fail)
3. cat /etc/nss_ldap.conf > /etc/ldap.conf
4. attempt to use sudo (win)
  
Actual results:
nss_ldap and sudo use different ldap config files

in 1st shell
------------
$ sudo -i
# ps -ef | grep <username>
# strace -o /tmp/strace.out -f -s99 -p <pid-of-bash>

in 2nd shell
------------
$ sudo uptime

in 1st shell
------------
CTRL-C to detach strace, then
review /tmp/strace.out:
# egrep 'ldap\.conf' /tmp/strace.out


Expected results:
nss_ldap and sudo should use same ldap configuration
(either /etc/nss_ldap.conf OR /etc/ldap.conf, but not both)

Additional info:

With %build of the spec file for sudo-1.7.4p4,
configure specifies "--with-ldap" but 
does not specify "--with-ldap-conf-file" 
to be consistent with nss_ldap.

The outcome is a single ldap configuration must exist in two places:
/etc/ldap.conf for sudo
/etc/nss_ldap.conf for nss_ldap

Comment 1 Paul Morgan 2010-11-12 14:48:51 UTC
another way to check configure-time options:

[root@x200 ~]# sudo -V | egrep ldap.conf
ldap.conf path: /etc/ldap.conf

Comment 3 Daniel Kopeček 2010-11-16 11:17:19 UTC
I wonder why this change was made in nss_ldap/f14. We need to change the secret file path too.

Comment 4 Fedora Update System 2010-11-30 12:06:08 UTC
sudo-1.7.4p4-4.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/sudo-1.7.4p4-4.fc14

Comment 5 Fedora Update System 2010-11-30 22:13:56 UTC
sudo-1.7.4p4-4.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sudo'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/sudo-1.7.4p4-4.fc14

Comment 6 Fedora Update System 2010-12-02 19:12:16 UTC
sudo-1.7.4p4-4.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.