From: Todd C. Miller Date: Thu, 8 Jul 2010 13:00:13 +0000 (-0400) Subject: TLS_CACERT is now an alias for TLS_CACERTFILE. OpenLDAP uses TLS_CACERT, X-Git-Tag: SUDO_1_7_4~111 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e3565fd495bb1d22155e8770adbdaf1ebb7a48e3;p=sudo TLS_CACERT is now an alias for TLS_CACERTFILE. OpenLDAP uses TLS_CACERT, not TLS_CACERTFILE in its ldap.conf. Other LDAP client code, such as nss_ldap, uses TLS_CACERTFILE. Also document why you should avoid disabling TLS_CHECKPEER is possible. --HG-- branch : 1.7 --- diff --git a/ldap.c b/ldap.c index 6bde360a3..9554df22e 100644 --- a/ldap.c +++ b/ldap.c @@ -183,6 +183,8 @@ static struct ldap_config_table ldap_conf_table[] = { #ifdef LDAP_OPT_X_TLS_CACERTFILE { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE, &ldap_conf.tls_cacertfile }, + { "tls_cacert", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE, + &ldap_conf.tls_cacertfile }, #endif #ifdef LDAP_OPT_X_TLS_CACERTDIR { "tls_cacertdir", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTDIR, diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index e43a8b774..7e79cee15 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -9,7 +9,7 @@ NNAAMMEE DDEESSCCRRIIPPTTIIOONN In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via - LAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a + LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a large, distributed environment. Using LDAP for _s_u_d_o_e_r_s has several benefits: @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.3 June 29, 2010 1 +1.7.3 July 8, 2010 1 @@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3 June 29, 2010 2 +1.7.3 July 8, 2010 2 @@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3 June 29, 2010 3 +1.7.3 July 8, 2010 3 @@ -259,7 +259,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3 June 29, 2010 4 +1.7.3 July 8, 2010 4 @@ -325,7 +325,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3 June 29, 2010 5 +1.7.3 July 8, 2010 5 @@ -369,29 +369,29 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) certificated to be verified. If the server's TLS certificate cannot be verified (usually because it is signed by an unknown certificate authority), ssuuddoo will be unable to connect to it. If - TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. + TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. Note that disabling + the check creates an opportunity for man-in-the-middle attacks + since the server's identity will not be authenticated. If + possible, the CA's certificate should be installed locally so it + can be verified. + + TTLLSS__CCAACCEERRTT file name + An alias for TTLLSS__CCAACCEERRTTFFIILLEE. TTLLSS__CCAACCEERRTTFFIILLEE file name The path to a certificate authority bundle which contains the certificates for all the Certificate Authorities the client knows to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only - supported by the OpenLDAP libraries. + supported by the OpenLDAP libraries. Netscape-derived LDAP + libraries use the same certificate database for CA and client + certificates (see TTLLSS__CCEERRTT). TTLLSS__CCAACCEERRTTDDIIRR directory Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory - containing individual Certificate Authority certificates, e.g. - _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is - checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the - OpenLDAP libraries. - - TTLLSS__CCEERRTT file name - The path to a file containing the client certificate which can be - used to authenticate the client to the LDAP server. The - certificate type depends on the LDAP libraries used. -1.7.3 June 29, 2010 6 +1.7.3 July 8, 2010 6 @@ -400,6 +400,16 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + containing individual Certificate Authority certificates, e.g. + _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is + checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the + OpenLDAP libraries. + + TTLLSS__CCEERRTT file name + The path to a file containing the client certificate which can be + used to authenticate the client to the LDAP server. The + certificate type depends on the LDAP libraries used. + OpenLDAP: tls_cert /etc/ssl/client_cert.pem @@ -444,27 +454,28 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting to an LDAP server from a privileged process, such as ssuuddoo. - RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity - The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. - SSAASSLL__SSEECCPPRROOPPSS none/properties - SASL security properties or _n_o_n_e for no properties. See the SASL - programmer's manual for details. - KKRRBB55__CCCCNNAAMMEE file name - The path to the Kerberos 5 credential cache to use when - authenticating with the remote server. +1.7.3 July 8, 2010 7 -1.7.3 June 29, 2010 7 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity + The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. + SSAASSLL__SSEECCPPRROOPPSS none/properties + SASL security properties or _n_o_n_e for no properties. See the SASL + programmer's manual for details. + + KKRRBB55__CCCCNNAAMMEE file name + The path to the Kerberos 5 credential cache to use when + authenticating with the remote server. See the ldap.conf entry in the EXAMPLES section. @@ -510,27 +521,27 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) To consult LDAP first followed by the local sudoers file (if it exists), use: - sudoers = ldap, files - The local _s_u_d_o_e_r_s file can be ignored completely by using: - sudoers = ldap +1.7.3 July 8, 2010 8 - To treat LDAP as authoratative and only use the local sudoers file if - the user is not present in LDAP, use: - sudoers = ldap = auth, files -1.7.3 June 29, 2010 8 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + sudoers = ldap, files + The local _s_u_d_o_e_r_s file can be ignored completely by using: + sudoers = ldap -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + To treat LDAP as authoratative and only use the local sudoers file if + the user is not present in LDAP, use: + sudoers = ldap = auth, files Note that in the above example, the auth qualfier only affects user lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. @@ -575,21 +586,10 @@ EEXXAAMMPPLLEESS # # verbose sudoers matching from ldap #sudoers_debug 2 - # - # optional proxy credentials - #binddn - #bindpw - #rootbinddn - # - # LDAP protocol version, defaults to 3 - #ldap_version 3 - # - # Define if you want to use an encrypted LDAP connection. - # Typically, you must also set the port to 636 (ldaps). -1.7.3 June 29, 2010 9 +1.7.3 July 8, 2010 9 @@ -598,6 +598,17 @@ EEXXAAMMPPLLEESS SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # + # optional proxy credentials + #binddn + #bindpw + #rootbinddn + # + # LDAP protocol version, defaults to 3 + #ldap_version 3 + # + # Define if you want to use an encrypted LDAP connection. + # Typically, you must also set the port to 636 (ldaps). #ssl on # # Define if you want to use port 389 and switch to @@ -641,21 +652,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # For OpenLDAP: #tls_cert /etc/certs/client_cert.pem #tls_key /etc/certs/client_key.pem - # - # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either - # a directory, in which case the files in the directory must have the - # default names (e.g. cert8.db and key4.db), or the path to the cert - # and key files themselves. However, a bug in version 5.0 of the LDAP - # SDK will prevent specific file names from working. For this reason - # it is suggested that tls_cert and tls_key be set to a directory, - # not a file name. - # - # The certificate database specified by tls_cert may contain CA certs - # and/or the client's cert. If the client's cert is included, tls_key -1.7.3 June 29, 2010 10 +1.7.3 July 8, 2010 10 @@ -664,6 +664,17 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # + # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either + # a directory, in which case the files in the directory must have the + # default names (e.g. cert8.db and key4.db), or the path to the cert + # and key files themselves. However, a bug in version 5.0 of the LDAP + # SDK will prevent specific file names from working. For this reason + # it is suggested that tls_cert and tls_key be set to a directory, + # not a file name. + # + # The certificate database specified by tls_cert may contain CA certs + # and/or the client's cert. If the client's cert is included, tls_key # should be specified as well. # For backward compatibility, "sslpath" may be used in place of tls_cert. #tls_cert /var/ldap @@ -708,28 +719,28 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match +1.7.3 July 8, 2010 11 -1.7.3 June 29, 2010 11 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.7 @@ -776,17 +787,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - -1.7.3 June 29, 2010 12 +1.7.3 July 8, 2010 12 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index 7d2ceab77..2c7262027 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "June 29, 2010" "1.7.3" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "July 8, 2010" "1.7.3" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -150,7 +150,7 @@ sudoers.ldap \- sudo LDAP configuration .SH "DESCRIPTION" .IX Header "DESCRIPTION" In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured -via \s-1LAP\s0. This can be especially useful for synchronizing \fIsudoers\fR +via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR in a large, distributed environment. .PP Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits: @@ -455,13 +455,21 @@ If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1T certificated to be verified. If the server's \s-1TLS\s0 certificate cannot be verified (usually because it is signed by an unknown certificate authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR -is disabled, no check is made. +is disabled, no check is made. Note that disabling the check creates +an opportunity for man-in-the-middle attacks since the server's +identity will not be authenticated. If possible, the \s-1CA\s0's certificate +should be installed locally so it can be verified. +.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4 +.IX Item "TLS_CACERT file name" +An alias for \fB\s-1TLS_CACERTFILE\s0\fR. .IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4 .IX Item "TLS_CACERTFILE file name" The path to a certificate authority bundle which contains the certificates for all the Certificate Authorities the client knows to be valid, e.g. \fI/etc/ssl/ca\-bundle.pem\fR. This option is only supported by the OpenLDAP libraries. +Netscape-derived \s-1LDAP\s0 libraries use the same certificate +database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR). .IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4 .IX Item "TLS_CACERTDIR directory" Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod index b614f9000..f7a39c934 100644 --- a/sudoers.ldap.pod +++ b/sudoers.ldap.pod @@ -363,7 +363,14 @@ If enabled, B will cause the LDAP server's TLS certificated to be verified. If the server's TLS certificate cannot be verified (usually because it is signed by an unknown certificate authority), B will be unable to connect to it. If B -is disabled, no check is made. +is disabled, no check is made. Note that disabling the check creates +an opportunity for man-in-the-middle attacks since the server's +identity will not be authenticated. If possible, the CA's certificate +should be installed locally so it can be verified. + +=item B file name + +An alias for B. =item B file name @@ -371,6 +378,8 @@ The path to a certificate authority bundle which contains the certificates for all the Certificate Authorities the client knows to be valid, e.g. F. This option is only supported by the OpenLDAP libraries. +Netscape-derived LDAP libraries use the same certificate +database for CA and client certificates (see B). =item B directory