Package: libpam-ldap
Version: 186-1+caejessie4
Severity: wishlist
Dear Maintainer,
As described in [1] and elsewhere, the nslcd variant of libpam-ldap,
libpam-ldapd, doesn't currently provide the ability to specify per
service pam stack ldap configs in order to override on on a per service
basis various authentication/authorization ldap filters, search bases,
etc. libpam-ldap does provide such functionality via the config=
parameter to its pam_ldap.so module within each pam server stack config.
However, aside from a library naming conflict, the two packages could be
compatible. That is, one can mix libpam-ldapd's pam_ldap.so and
libpam-ldap's pam_ldap.so in the same stack, so long as they're
named/referenced differently so that they're each loaded separately.
Attached is a patch which adjusts the libpam-ldap package to also
produce a copy of itself under a different library install location and
package name, libpam-ldap-standalone, in order to facilitate just that
ability. Note, it also includes the patches for reading from the usual
config file that I submitted in bug #844666.
There are comments within the patch to hopefully help flush out the
details of the expected use cases and configs.
In my example I've disabled most debconf control of the
pam_ldap_standalone.so module into the various /etc/pam.d/common-*
stacks, as it's not intended to be a replacement for those, but rather a
tack on for specific services. Instead, libpam-ldapd is supposed to
handle the brunt of the /etc/pam.d/common-* work.
Let me know if you have any questions/comments.
Thanks,
Brian
[1] <https://lists.arthurdejong.org/nss-pam-ldapd-users/2016/msg00114.html>
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable'), (120, 'testing'), (110, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libpam-ldap-standalone depends on:
ii libc6 2.19-18+deb8u6
ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2
ii libpam-runtime 1.1.8-3.1+deb8u1
ii libpam0g 1.1.8-3.1+deb8u1+b1
libpam-ldap-standalone recommends no packages.
Versions of packages libpam-ldap-standalone suggests:
ii libnss-ldapd 0.9.4-3+deb8u1
ii libpam-ldapd 0.9.4-3+deb8u1
-- no debconf information
diff -u -ruN libpam-ldap-186/debian/changelog libpam-ldap-186.cae.standalone/debian/changelog
--- libpam-ldap-186/debian/changelog 2016-04-09 16:14:51.000000000 -0500
+++ libpam-ldap-186.cae.standalone/debian/changelog 2016-11-25 13:17:12.663261899 -0600
@@ -1,3 +1,16 @@
+libpam-ldap (186-1+caejessie4) cae-jessie-backports; urgency=medium
+
+ * Non-maintainer upload.
+ * Backporting for jessie (RT #430785).
+ * Also update debian/rules to use the old /etc/pam_ldap.conf file by default
+ instead of /etc/ldap.conf
+ * Fixup build rules for pure dh instead of cdbs.
+ * Don't let it copy the /etc/ldap.conf file in - let debconf handle that as
+ before.
+ * Add a libpam-ldap-standalone package.
+
+ -- Brian Kroth <bpkr...@gmail.com> Fri, 28 Oct 2016 17:13:57 -0500
+
libpam-ldap (186-1) unstable; urgency=medium
* New upstream release
diff -u -ruN libpam-ldap-186/debian/control libpam-ldap-186.cae.standalone/debian/control
--- libpam-ldap-186/debian/control 2016-04-04 07:26:09.000000000 -0500
+++ libpam-ldap-186.cae.standalone/debian/control 2016-11-25 13:45:23.258026883 -0600
@@ -6,6 +6,7 @@
Standards-Version: 3.9.7
Build-Depends: debhelper (>= 9),
dh-autoreconf,
+ dh-exec (>= 0.3),
libldap2-dev,
libpam0g-dev,
libsasl2-dev,
@@ -22,3 +23,27 @@
user authentication system. Using it along with libnss-ldapd or libnss-ldap
allows LDAP to entirely replace other lookup methods (such as NIS or
flat-file) for system account tables.
+
+Package: libpam-ldap-standalone
+Architecture: any
+Multi-Arch: same
+Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime (>= 1.0.1-6), libpam0g (>= 1.1.3-2)
+Suggests: libnss-ldapd, libpam-ldapd
+# libpam-ldap-standalone is only intended to be used in combination with
+# libpam-ldapd. It doesn't make sense to combine it with itself.
+# NOTE: We have to include a version in the match, else libpam-ldapd (which
+# Provides libpam-ldap) will also be matched by the Conflicts rule.
+Conflicts: libpam-ldap (>= 0)
+Description: Pluggable Authentication Module for LDAP
+ This package provides an interface between an LDAP server and the PAM
+ user authentication system. Using it along with libnss-ldapd or libnss-ldap
+ allows LDAP to entirely replace other lookup methods (such as NIS or
+ flat-file) for system account tables.
+ .
+ NOTE: This is essentially a copy of the libpam-ldap package that's intended to
+ coeexist with the libpam-ldapd package (which conflicts with the usual
+ libpam-ldap package since they both install to /lib/.../security/pam_ldap.so)
+ so that select pam service stacks can make use of libpam-ldap's nice config=
+ option that libpam-ldapd currently lacks.
+ .
+ See Also: https://lists.arthurdejong.org/nss-pam-ldapd-users/2016/msg00114.html
diff -u -ruN libpam-ldap-186/debian/libpam-ldap.install libpam-ldap-186.cae.standalone/debian/libpam-ldap.install
--- libpam-ldap-186/debian/libpam-ldap.install 2015-10-15 21:52:24.000000000 -0500
+++ libpam-ldap-186.cae.standalone/debian/libpam-ldap.install 2016-11-22 15:29:33.161207583 -0600
@@ -1,3 +1,4 @@
+#! /usr/bin/dh-exec
ldap.conf usr/share/libpam-ldap
pam.d usr/share/doc/libpam-ldap/examples
chfn usr/share/doc/libpam-ldap/examples
@@ -6,3 +7,4 @@
pam_ldap.5 usr/share/man/man5
ldapns.schema usr/share/doc/libpam-ldap
debian/LDAP-Permissions.txt usr/share/doc/libpam-ldap
+pam_ldap.so /lib/${DEB_HOST_MULTIARCH}/security
diff -u -ruN libpam-ldap-186/debian/libpam-ldap-standalone.install libpam-ldap-186.cae.standalone/debian/libpam-ldap-standalone.install
--- libpam-ldap-186/debian/libpam-ldap-standalone.install 1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-186.cae.standalone/debian/libpam-ldap-standalone.install 2016-11-23 15:25:17.637445734 -0600
@@ -0,0 +1,9 @@
+#! /usr/bin/dh-exec
+ldap.conf usr/share/libpam-ldap-standalone
+debian/standalone/doc/README usr/share/doc/libpam-ldap-standalone
+debian/standalone/examples/pam_ldap.sudo.conf usr/share/doc/libpam-ldap-standalone/examples
+debian/standalone/examples/pam.d/sudo usr/share/doc/libpam-ldap-standalone/examples/pam.d
+pam_ldap.5 usr/share/man/man5
+ldapns.schema usr/share/doc/libpam-ldap-standalone
+debian/LDAP-Permissions.txt usr/share/doc/libpam-ldap-standalone
+pam_ldap.so /lib/${DEB_HOST_MULTIARCH}/security
diff -u -ruN libpam-ldap-186/debian/libpam-ldap-standalone.pam-auth-update libpam-ldap-186.cae.standalone/debian/libpam-ldap-standalone.pam-auth-update
--- libpam-ldap-186/debian/libpam-ldap-standalone.pam-auth-update 1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-186.cae.standalone/debian/libpam-ldap-standalone.pam-auth-update 2016-11-23 14:58:19.295390235 -0600
@@ -0,0 +1,22 @@
+# Disabled for libpam-ldap-standalone - it's only intended to be used in select
+# service stacks and should therefore be handled manually. libpam-ldapd is
+# expected to be used for the rest.
+#Name: LDAP Authentication
+#Default: yes
+#Priority: 128
+#Auth-Type: Primary
+#Auth-Initial:
+# [success=end default=ignore] pam_ldap_standalone.so
+#Auth:
+# [success=end default=ignore] pam_ldap_standalone.so use_first_pass
+#Account-Type: Primary
+#Account:
+# [success=end default=ignore] pam_ldap_standalone.so
+#Password-Type: Primary
+#Password-Initial:
+# [success=end user_unknown=ignore default=die] pam_ldap_standalone.so
+#Password:
+# [success=end user_unknown=ignore default=die] pam_ldap_standalone.so use_authtok try_first_pass
+#Session-Type: Additional
+#Session:
+# optional pam_ldap_standalone.so
diff -u -ruN libpam-ldap-186/debian/libpam-ldap-standalone.postinst libpam-ldap-186.cae.standalone/debian/libpam-ldap-standalone.postinst
--- libpam-ldap-186/debian/libpam-ldap-standalone.postinst 1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-186.cae.standalone/debian/libpam-ldap-standalone.postinst 2016-11-23 14:59:45.752352891 -0600
@@ -0,0 +1,165 @@
+#!/bin/sh
+
+#DEBHELPER#
+
+set -e
+
+# Disabled for libpam-ldap-standalone - it's only intended to be used in select
+# service stacks and should therefore be handled manually. libpam-ldapd is
+# expected to be used for the rest.
+#pam-auth-update --package
+
+# However, we can reuse previous settings from libpam-ldap if possible.
+
+PACKAGE=libpam-ldap-standalone
+CONFFILE="/etc/pam_ldap.conf"
+PASSWDFILE="/etc/pam_ldap.secret"
+OLDPASSWDFILE="/etc/ldap.secret"
+
+add_missing()
+{
+ # FIXME: it would be nice to get the prototype from a template.
+
+ parameter=$1
+ value=$2
+ echo "$parameter $value" >> $CONFFILE
+}
+
+change_value()
+{
+ parameter=$1
+ value=$2
+ commented=0 ; notthere=0
+ egrep -i -q "^$parameter " $CONFFILE || notthere=1
+ if [ "$notthere" = "1" ]; then
+ if ( egrep -i -q "^# *$parameter" $CONFFILE ); then
+ notthere=0
+ commented=1
+ fi
+ fi
+
+ if [ "$notthere" = "1" ]; then
+ add_missing $parameter $value
+ else
+ # i really need a better way to do this...
+ # currently we replace only the first match, we need a better
+ # way of dealing with multiple hits.
+ if [ "$commented" = "1" ]; then
+ value="$value" parameter="$parameter" perl -i -p -e 's/^# *\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i
+ and $match=1 unless ($match)' $CONFFILE
+ else
+ value="$value" parameter="$parameter" perl -i -p -e 's/^\Q$ENV{"parameter"}\E .*/$ENV{"parameter"} $ENV{"value"}/i
+ and $match=1 unless ($match)' $CONFFILE
+ fi
+ fi
+}
+
+disable_param()
+{
+ parameter=$1
+ enabled=0
+ egrep -q "^$parameter " $CONFFILE && enabled=1
+ if [ "$enabled" = "1" ]; then
+ perl -i -p -e "s/^($parameter .*)/#\$1/i" $CONFFILE
+ fi
+}
+
+
+
+# ok, lets get to business..
+. /usr/share/debconf/confmodule
+
+# lets create the configuration from example if it's not there.
+examplefile=/usr/share/$PACKAGE/ldap.conf
+if [ ! -e $CONFFILE -a -e $examplefile ]; then
+ cat > $CONFFILE << EOM
+###DEBCONF###
+# the configuration of this file will be done by debconf as long as the
+# first line of the file says '###DEBCONF###'
+#
+# you should use dpkg-reconfigure to configure this file
+#
+EOM
+ cat $examplefile >> $CONFFILE
+ chmod 0644 $CONFFILE
+ db_set libpam-ldap/override true
+fi
+
+db_get libpam-ldap/override
+if [ "$RET" = "true" ]; then
+ if ( head -1 $CONFFILE | grep -q -v '^###DEBCONF###$' ); then
+ mv $CONFFILE $CONFFILE.tmp
+ cat > $CONFFILE << EOM
+###DEBCONF###
+EOM
+ cat $CONFFILE.tmp >> $CONFFILE
+ rm -f $CONFFILE.tmp
+ chmod 0644 $CONFFILE
+ fi
+
+ db_get shared/ldapns/ldap-server
+ if echo $RET | egrep -q '^ldap[is]?://'; then
+ disable_param host
+ change_value uri "$RET"
+ else
+ disable_param uri
+ change_value host "$RET"
+ fi
+
+ db_get shared/ldapns/base-dn
+ change_value base "$RET"
+
+ db_get shared/ldapns/ldap_version
+ change_value ldap_version "$RET"
+
+ db_get libpam-ldap/pam_password
+ change_value pam_password "$RET"
+
+ db_get libpam-ldap/dbrootlogin
+ if [ "$RET" = "true" ]; then
+ # separate root login to the database
+ db_get libpam-ldap/rootbinddn
+ change_value rootbinddn "$RET"
+
+ db_get libpam-ldap/rootbindpw
+ if [ "$RET" != "" ]; then
+ rm -f $PASSWDFILE $OLDPASSWDFILE
+ echo $RET > $PASSWDFILE
+ chmod 0600 $PASSWDFILE
+ db_set libpam-ldap/rootbindpw ''
+ else
+ # copy the old password file to its new location
+ if [ ! -e $PASSWDFILE -a -e $OLDPASSWDFILE ]; then
+ cp -a $OLDPASSWDFILE $PASSWDFILE
+ fi
+ fi
+ else
+ # ok, so the user refused to use this feature, better make
+ # sure it's really off.
+ disable_param rootbinddn
+ rm -f $PASSWDFILE /etc/ldap.conf
+ fi
+
+ db_get libpam-ldap/dblogin
+ if [ "$RET" = "true" ]; then
+ # user wants to log in to the database, so be it.
+ db_get libpam-ldap/binddn
+ change_value binddn "$RET"
+
+ db_get libpam-ldap/bindpw
+ if [ "$RET" != "" ]; then
+ change_value bindpw "$RET"
+ db_set libpam-ldap/bindpw ''
+ fi
+ else
+ # once again, user didn't.. lets make sure we dont.
+ disable_param binddn
+ disable_param bindpw
+ fi
+else
+ # copy the password file to its new location
+ if [ ! -e $PASSWDFILE -a -e $OLDPASSWDFILE ]; then
+ cp -a $OLDPASSWDFILE $PASSWDFILE
+ fi
+fi
+db_stop
diff -u -ruN libpam-ldap-186/debian/libpam-ldap-standalone.postrm libpam-ldap-186.cae.standalone/debian/libpam-ldap-standalone.postrm
--- libpam-ldap-186/debian/libpam-ldap-standalone.postrm 1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-186.cae.standalone/debian/libpam-ldap-standalone.postrm 2016-11-23 14:59:53.456438674 -0600
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+CONFFILE="/etc/pam_ldap.conf"
+PASSWDFILE="/etc/pam_ldap.secret"
+
+action=$1
+
+if [ "$action" = "purge" ] && \
+[ "$(dpkg-query --show libpam-ldap-standalone 2> /dev/null | wc -l)" = 1 ]; then
+ rm -f $CONFFILE $PASSWDFILE
+fi
+
+#DEBHELPER#
diff -u -ruN libpam-ldap-186/debian/libpam-ldap-standalone.prerm libpam-ldap-186.cae.standalone/debian/libpam-ldap-standalone.prerm
--- libpam-ldap-186/debian/libpam-ldap-standalone.prerm 1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-186.cae.standalone/debian/libpam-ldap-standalone.prerm 2016-11-23 15:00:07.472594734 -0600
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = remove ] && \
+[ "$(dpkg-query --show libpam-ldap-standalone 2> /dev/null | wc -l)" = 1 ]; then
+ pam-auth-update --package --remove ldap_standalone
+fi
+
+#DEBHELPER#
+
+exit 0
diff -u -ruN libpam-ldap-186/debian/rules libpam-ldap-186.cae.standalone/debian/rules
--- libpam-ldap-186/debian/rules 2016-04-04 00:47:35.000000000 -0500
+++ libpam-ldap-186.cae.standalone/debian/rules 2016-11-25 13:45:15.753943648 -0600
@@ -1,5 +1,7 @@
#!/usr/bin/make -f
+#export DH_VERBOSE = 1
+
export DEB_BUILD_MAINT_OPTIONS= hardening=+bindnow
%:
@@ -7,4 +9,52 @@
override_dh_auto_configure:
dh_auto_configure -- --libdir=/lib/$(DEB_HOST_MULTIARCH) \
- --with-ldap-lib=openldap
+ --with-ldap-lib=openldap \
+ --with-ldap-conf-file=/etc/pam_ldap.conf \
+ --with-ldap-secret-file=/etc/pam_ldap.secret
+
+override_dh_install:
+ dh_install
+
+ # remove the provided ldap.conf file from /etc
+ # (the old debian package didn't provide one directly either)
+ rm -f debian/libpam-ldap/etc/ldap.conf
+ rm -f debian/libpam-ldap/etc/pam_ldap.conf
+ # same goes for the ldap.secret file
+ rm -f debian/libpam-ldap/etc/ldap.secret
+ rm -f debian/libpam-ldap/etc/pam_ldap.secret
+ # rename man page
+ mv debian/libpam-ldap/usr/share/man/man5/pam_ldap.5 \
+ debian/libpam-ldap/usr/share/man/man5/pam_ldap.conf.5
+ # change all references from /etc/ldap.{conf,secret} to /etc/pam_ldap.{conf,secret}
+ for file in debian/libpam-ldap/usr/share/man/man5/pam_ldap.conf.5 \
+ debian/libpam-ldap/usr/share/libpam-ldap/ldap.conf \
+ debian/libpam-ldap/usr/share/doc/libpam-ldap/examples/chfn \
+ debian/libpam-ldap/usr/share/doc/libpam-ldap/examples/chsh ; do \
+ sed -e 's,ldap.conf,pam_ldap.conf,' \
+ -e 's,ldap.secret,pam_ldap.secret,' \
+ < $$file > $$file-sed; \
+ mv $$file-sed $$file; \
+ done
+
+ # rename man page
+ mv debian/libpam-ldap-standalone/usr/share/man/man5/pam_ldap.5 \
+ debian/libpam-ldap-standalone/usr/share/man/man5/pam_ldap_standalone.conf.5
+ # change all references from /etc/ldap.{conf,secret} to /etc/pam_ldap.{conf,secret}
+ # and all references of pam_ldap to pam_ldap_standalone
+ for file in debian/libpam-ldap-standalone/usr/share/man/man5/pam_ldap_standalone.conf.5 \
+ debian/libpam-ldap-standalone/usr/share/libpam-ldap-standalone/ldap.conf ; do \
+ sed -e 's,ldap.conf,pam_ldap.conf,' \
+ -e 's,ldap.secret,pam_ldap.secret,' \
+ -e 's,pam_ldap.so,pam_ldap_standalone.so,g' \
+ -e 's,pam_ldap\b,pam_ldap_standalone,g' \
+ -e 's,pam_ldap_standalone.conf,pam_ldap.conf,g' \
+ -e 's,pam_ldap_standalone.secret,pam_ldap.secret,g' \
+ < $$file > $$file-sed; \
+ mv $$file-sed $$file; \
+ done
+ # here's the whole point of this extra package copy:
+ # move the pam_ldap.so file to a new name so it can coeexist with the
+ # pam_ldap.so file from libpam-ldapd
+ mv debian/libpam-ldap-standalone/lib/$(DEB_HOST_MULTIARCH)/security/pam_ldap.so \
+ debian/libpam-ldap-standalone/lib/$(DEB_HOST_MULTIARCH)/security/pam_ldap_standalone.so
diff -u -ruN libpam-ldap-186/debian/standalone/doc/README libpam-ldap-186.cae.standalone/debian/standalone/doc/README
--- libpam-ldap-186/debian/standalone/doc/README 1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-186.cae.standalone/debian/standalone/doc/README 2016-11-23 15:23:39.124344622 -0600
@@ -0,0 +1,35 @@
+The purpose of the libpam-ldap-standlone package is to workaround a lack of
+functionality from the libpam-ldapd package, which conflicts with standard
+libpam-ldap since they both provide the pam_ldap.so module.
+
+In particular, libpam-ldapd's pam_ldap.so is missing ability to handle per pam
+service stack alternative LDAP search/bind configurations via the config=
+parameters in the pam_ldap.so module.
+
+However, excepting for the name, the modules can in fact coexist. Thus, the
+libpam-ldap-standalone package is mostly just a copy of the libpam-ldap
+package, with a few renames.
+
+
+The intended use for it is to provide per service pam stack overrides to allow
+the use of the config= parameter for those affected stacks. It is *not* meant
+for both libpam-ldapd and libpam-ldap-standalone to be used for the default pam
+service stacks (eg: /etc/pam.d/common-*).
+
+As a specific example, we include in the examples directory, two configuration
+files for asking the sudo pam service to redirect authentication over to a
+separate pam_ldap.sudo.conf file which is configured to lookup and bind users
+in a separate base LDAP ou than usual (eg: ou=SudoPeople instead of ou=People).
+The assumption is that user account objects in ou=SudoPeople mostly mirror
+their counterpart objects in ou=People (though possibly only a subset of them)
+expect in the userPassword attribute, which should be different, thus allowing
+the sudo service to require two separate password credentials for use (ie: one
+for authenticating to the machine as the user for general shell access via, say
+ssh, and another for gaining elevated privileges). Such ou=SudoPeople
+vs ou=People object mirror configurations can easily be supported via
+most DB <-> LDAP synchronization programs (exercise left to the reader).
+
+Such a configuration allows the benefits of nslcd/libnss-ldapd/libpam-ldapd,
+namely consolidated connections/caching and limited library exposure to other
+libraries, while still providing the flexible configuration power of the
+standalone libpam-ldap.
diff -u -ruN libpam-ldap-186/debian/standalone/examples/pam.d/sudo libpam-ldap-186.cae.standalone/debian/standalone/examples/pam.d/sudo
--- libpam-ldap-186/debian/standalone/examples/pam.d/sudo 1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-186.cae.standalone/debian/standalone/examples/pam.d/sudo 2016-11-25 13:10:01.406475988 -0600
@@ -0,0 +1,37 @@
+#%PAM-1.0
+
+# Use an alternate pam_ldap.conf file so we can auth against a different
+# password attribute, so rather than straight including these, we'll
+# copy/paste/edit (see below).
+#@include common-auth
+# However, we really only need to disable the usual common-auth stuff so that
+# we can use our separate sudo password via the shadow ldap objects.
+# However, we still want to perform both sets of ldap filters (host default and
+# sudo) via the usual means (common-account, eg: via libpam-ldapd) for regular
+# account status validation.
+@include common-account
+
+# Enforce lockout restrictions.
+#auth required pam_tally.so onerr=fail deny=6 unlock_time=300
+
+# Copied and edited from /etc/pam.d/common-auth
+# Check local authentication first (so root and other local users can still
+# login while LDAP is down) and skip 1 rules and move on to pam_permit upon
+# success.
+auth [success=1 default=ignore] pam_unix.so
+# Use an alternative pam_ldap.conf file for sudo that includes a different
+# pam_filter and/or nss_base_passwd LDAP search base ou with shadow accounts
+# for regular accounts that have alternative password attributes.
+auth required pam_ldap_standalone.so use_first_pass config=/etc/pam_ldap.sudo.conf
+auth required pam_permit.so
+
+# Copied and edited from /etc/pam.d/common-account
+# Try local shadow db first (so don't include ldap in nsswitch.conf's shadow
+# db) and skip 1 rules and move on to pam_permit upon success.
+account [success=1 default=ignore] pam_unix.so
+account required pam_ldap_standalone.so config=/etc/pam_ldap.sudo.conf
+account required pam_permit.so
+
+# Regular sudo stuff.
+session required pam_limits.so
+session required pam_permit.so
diff -u -ruN libpam-ldap-186/debian/standalone/examples/pam_ldap.sudo.conf libpam-ldap-186.cae.standalone/debian/standalone/examples/pam_ldap.sudo.conf
--- libpam-ldap-186/debian/standalone/examples/pam_ldap.sudo.conf 1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-186.cae.standalone/debian/standalone/examples/pam_ldap.sudo.conf 2016-11-25 13:10:35.002847505 -0600
@@ -0,0 +1,287 @@
+# @(#)$Id: pam_ldap.sudo.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
+#
+# This is the configuration file for the LDAP nameservice
+# switch library and the LDAP PAM module.
+#
+# PADL Software
+# http://www.padl.com
+#
+
+# Your LDAP server. Must be resolvable without using LDAP.
+# Multiple hosts may be specified, each separated by a
+# space. How long nss_ldap takes to failover depends on
+# whether your LDAP client library supports configurable
+# network or connect timeouts (see bind_timelimit).
+host 127.0.0.1
+
+# The distinguished name of the search base.
+base dc=padl,dc=com
+
+# Another way to specify your LDAP server is to provide an
+# uri with the server name. This allows to use
+# Unix Domain Sockets to connect to a local LDAP Server.
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+#ldap_version 3
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=proxyuser,dc=padl,dc=com
+
+# The credentials to bind with.
+# Optional: default is no credential.
+#bindpw secret
+
+# The distinguished name to bind to the server with
+# if the effective user ID is root. Password is
+# stored in /etc/ldap.secret (mode 600)
+#rootbinddn cn=manager,dc=padl,dc=com
+
+# The port.
+# Optional: default is 389.
+#port 389
+
+# The search scope.
+#scope sub
+#scope one
+#scope base
+
+# Search timelimit
+#timelimit 30
+
+# Bind/connect timelimit
+#bind_timelimit 30
+
+# Reconnect policy: hard (default) will retry connecting to
+# the software with exponential backoff, soft will fail
+# immediately.
+#bind_policy hard
+
+# Idle timelimit; client will close connections
+# (nss_ldap only) if the server has not been contacted
+# for the number of seconds specified below.
+#idle_timelimit 3600
+
+# Filter to AND with uid=%s
+#pam_filter allowedServicesACL=sudo
+
+# The user ID attribute (defaults to uid)
+#pam_login_attribute uid
+
+# Search the root DSE for the password policy (works
+# with Netscape Directory Server)
+#pam_lookup_policy yes
+
+# Check the 'host' attribute for access control
+# Default is no; if set to yes, and user has no
+# value for the host attribute, and pam_ldap_standalone is
+# configured for account management (authorization)
+# then the user will not be allowed to login.
+#pam_check_host_attr yes
+
+# Check the 'authorizedService' attribute for access
+# control
+# Default is no; if set to yes, and the user has no
+# value for the authorizedService attribute, and
+# pam_ldap_standalone is configured for account management
+# (authorization) then the user will not be allowed
+# to login.
+#pam_check_service_attr yes
+
+# Group to enforce membership of
+#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
+
+# Group member attribute
+#pam_member_attribute uniquemember
+
+# Specify a minium or maximum UID number allowed
+#pam_min_uid 0
+#pam_max_uid 0
+
+# Template login attribute, default template user
+# (can be overriden by value of former attribute
+# in user's entry)
+#pam_login_attribute userPrincipalName
+#pam_template_login_attribute uid
+#pam_template_login nobody
+
+# HEADS UP: the pam_crypt, pam_nds_passwd,
+# and pam_ad_passwd options are no
+# longer supported.
+#
+# Do not hash the password at all; presume
+# the directory server will do it, if
+# necessary. This is the default.
+#pam_password clear
+
+# Hash password locally; required for University of
+# Michigan LDAP server, and works with Netscape
+# Directory Server if you're using the UNIX-Crypt
+# hash mechanism and not using the NT Synchronization
+# service.
+#pam_password crypt
+
+# Remove old password first, then update in
+# cleartext. Necessary for use with Novell
+# Directory Services (NDS)
+#pam_password clear_remove_old
+#pam_password nds
+
+# RACF is an alias for the above. For use with
+# IBM RACF
+#pam_password racf
+
+# Update Active Directory password, by
+# creating Unicode password and updating
+# unicodePwd attribute.
+#pam_password ad
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+#pam_password exop
+
+# Redirect users to a URL or somesuch on password
+# changes.
+#pam_password_prohibit_message Please visit http://internal to change your password.
+
+# RFC2307bis naming contexts
+# Syntax:
+# nss_base_XXX base?scope?filter
+# where scope is {base,one,sub}
+# and filter is a filter to be &'d with the
+# default filter.
+# You can omit the suffix eg:
+# nss_base_passwd ou=People,
+# to append the default base DN but this
+# may incur a small performance impact.
+#nss_base_passwd ou=SudoPeople,dc=padl,dc=com?one
+#nss_base_shadow ou=SudoPeople,dc=padl,dc=com?one
+#nss_base_group ou=Group,dc=padl,dc=com?one
+#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
+#nss_base_services ou=Services,dc=padl,dc=com?one
+#nss_base_networks ou=Networks,dc=padl,dc=com?one
+#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
+#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
+#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
+#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
+#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
+#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
+#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
+
+# attribute/objectclass mapping
+# Syntax:
+#nss_map_attribute rfc2307attribute mapped_attribute
+#nss_map_objectclass rfc2307objectclass mapped_objectclass
+
+# configure --enable-nds is no longer supported.
+# NDS mappings
+#nss_map_attribute uniqueMember member
+
+# Services for UNIX 3.5 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount User
+#nss_map_attribute uid msSFU30Name
+#nss_map_attribute uniqueMember msSFU30PosixMember
+#nss_map_attribute userPassword msSFU30Password
+#nss_map_attribute homeDirectory msSFU30HomeDirectory
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_objectclass posixGroup Group
+#pam_login_attribute msSFU30Name
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-mssfu-schema is no longer supported.
+# Services for UNIX 2.0 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid msSFUName
+#nss_map_attribute uniqueMember posixMember
+#nss_map_attribute userPassword msSFUPassword
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup Group
+#nss_map_attribute cn msSFUName
+#pam_login_attribute msSFUName
+#pam_filter objectclass=User
+#pam_password ad
+
+# RFC 2307 (AD) mappings
+#nss_map_objectclass posixAccount user
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid sAMAccountName
+#nss_map_attribute homeDirectory unixHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup group
+#nss_map_attribute uniqueMember member
+#pam_login_attribute sAMAccountName
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-authpassword is no longer supported
+# AuthPassword mappings
+#nss_map_attribute userPassword authPassword
+
+# AIX SecureWay mappings
+#nss_map_objectclass posixAccount aixAccount
+#nss_base_passwd ou=aixaccount,?one
+#nss_map_attribute uid userName
+#nss_map_attribute gidNumber gid
+#nss_map_attribute uidNumber uid
+#nss_map_attribute userPassword passwordChar
+#nss_map_objectclass posixGroup aixAccessGroup
+#nss_base_group ou=aixgroup,?one
+#nss_map_attribute cn groupName
+#nss_map_attribute uniqueMember member
+#pam_login_attribute userName
+#pam_filter objectclass=aixAccount
+#pam_password clear
+
+# Netscape SDK LDAPS
+#ssl on
+
+# Netscape SDK SSL options
+#sslpath /etc/ssl/certs
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+#ssl start_tls
+#ssl on
+
+# OpenLDAP SSL options
+# Require and verify server certificate (yes/no)
+# Default is to use libldap's default behavior, which can be configured in
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
+#tls_checkpeer yes
+
+# CA certificates for server certificate verification
+# At least one of these are required if tls_checkpeer is "yes"
+#tls_cacertfile /etc/ssl/ca.cert
+#tls_cacertdir /etc/ssl/certs
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Disable SASL security layers. This is needed for AD.
+#sasl_secprops maxssf=0
+
+# Override the default Kerberos ticket cache location.
+#krb5_ccname FILE:/etc/.ldapcache
+
+# SASL mechanism for PAM authentication - use is experimental
+# at present and does not support password policy control
+#pam_sasl_mech DIGEST-MD5
