sudo-rs icon indicating copy to clipboard operation
sudo-rs copied to clipboard
verified publisher icon memorysafety

Check that LDAP support is working

Open squell opened this issue 2 years ago • 7 comments

sudo-rs supports users that are defined via LDAP via PAM (which is a common and reasonable use case), but not (at least not right now) a sudoers file that is sent over LDAP.

~~This should be tested manually (e.g. install a small system where this is configured, or find one).~~

I.e. ideally no code should be necessary to close this PR.

  • [x] Verify that users defined via LDAP can authenticate themselves in sudo-rs.

squell avatar Jun 12 '23 16:06 squell

I'd love this to be optional functionality - the dependency graph for this in sudo makes me sad, and for packaging for Amazon Linux at least, we're almost certainly going to want to not build in this support.

stewartsmith avatar Feb 22 '24 01:02 stewartsmith

Thanks for this feedback!

You will be pleased to know that we were not considering adding anything like sudoers.ldap, i.e. support for a centralized sudoers configuration that is stored in LDAP instead of on each machine. (It fails our criteria for inclusion, since the problem that this would solve is nowadays better handled with tools such as Ansible).

Especially if we get feedback such as this that our packagers/users actively don't want that.

This issue is much more specific: since sudo-rs authenticates users exclusively via PAM, a system where users are configured via LDAP should already be supported (through PAM). But since we don't actually have a server (under our control) where users are defined via LDAP we simply haven't demonstrated this very extensively yet.

squell avatar Feb 22 '24 10:02 squell

Note that this is not exclusively a PAM configuration, but also a libnss (Network Security Services) configuration thing. This is something that is implemented in libc, and not in sudo-rs itself.

Typically a system that is connected to some identity management system, or IDM, (e.g. LDAP) configures both libnss to connect to that IDM to retrieve user information and then configures PAM to do authentication against part of that user information, or using something like kerberos/oauth/passkeys etc. We just never managed to test sudo-rs with any libnss input other than /etc/passwd and some basic PAM configurations.

But there is no LDAP specific code in sudo-rs, and I think we'd prefer to keep it that way. If we ever do need to add something LDAP specific I think making it an optional feature is a good idea though.

rnijveld avatar Feb 22 '24 10:02 rnijveld