Bug 523

Summary: DNS SRV Record Support
Product: Sudo Reporter: James Cape <jcape>
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: ASSIGNED ---    
Severity: normal    
Priority: low    
Version: 1.8.3   
Hardware: PC   
OS: Linux   

Description James Cape 2011-11-23 19:03:03 MST 
OpenLDAP 2.4 supports LDAP URIs in the form of ldap:///dc=example,dc=com (albeit URI escaped), which would transparently perform a DNS SRV lookup against _ldap._tcp.example.com, if given directly to ldap_initialize().

Unfortunately, Sudo's LDAP plugin is being too clever about it's URI handling, which precludes this useful and otherwise valid input.

I'd recommend simply removing the URL munging stuff altogether (i.e. ldap.c:sudo_ldap_parse_uri) and replacing it item with a simple URI string as provided by the user, but I'm not sure what else that would break.

- jmc
Comment 1 Todd C. Miller 2011-11-24 08:51:35 MST 
Actually, if you look closely you'll see that sudo_ldap_parse_uri() is only used for LDAP libraries that lack ldap_initialize(), which is specific to OpenLDAP.  If you set

sudoers_debug 2

in ldap.conf you should see a debugging line with the argument passed to ldap_initialize()