Re: libnss-ldap/libpam-ldap security issue
Brian May <firstname.lastname@example.org> writes:
> In my case, it looks like the NSS module is getting its certificates
> based on the defaults in $HOME/.ldaprc. I expect this, because I have
> the certificates configured in /etc/ldap/ldap.conf and nowhere else.
> This is presumable why it is segfaulting, because it is picking up the
> wrong certificates. This in turn would mean if somebody was able to
> interfere somehow with the network, they could trick sudo into
> authenticating against the wrong ldap server.
> Sure, I could override all the defaults in /etc/ldap.conf (config file
> used by ldap-nss and ldap-pam), but this strikes me as (a) unnecessarily
> duplication of config settings in /etc/ldap.conf and /etc/ldap/ldap.conf
> and (b) risky because I might miss a config setting that needs to be
> overridden. It also doesn't appear to be documented anywhere.
Basically, you're preaching to the choir and I think this should be
changed, but I don't have the time or energy to work on it. :/ I'm listed
as an OpenLDAP package maintainer because I'm willing to try to work on it
when Stanford can spare some of my time for it, but that hasn't been often
lately and isn't the case at the moment.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>