[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help
Todd C. Miller
Todd.Miller at courtesan.com
Thu May 28 09:50:55 EDT 2009
In message <b5ff222b0905280542h646247c2wdc517f2806700ce2 at mail.gmail.com>
so spake "M. Fija" (fija00):
> It looks like the message "sudo: unable to initialize SSL cert and key db:
> security library: bad" indicates that "tls_cert" and "tls_key" are mandatory
> to use SSL with sudo.
They should not be. The LDAP API is supposed to deal with them not
being specified. Please try the diff below to see if it helps.
> It seems that "tls_cacertfile" parameter is ignored.
There is no way to specify a separate CA cert with the Sun LDAP API.
- todd
Index: ldap.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/ldap.c,v
retrieving revision 1.107
diff -u -p -u -r1.107 ldap.c
--- ldap.c 25 May 2009 12:02:41 -0000 1.107
+++ ldap.c 28 May 2009 13:45:51 -0000
@@ -381,15 +381,26 @@ sudo_ldap_init(ldp, host, port)
#ifdef HAVE_LDAPSSL_INIT
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
- DPRINTF(("ldapssl_clientauth_init(%s, %s)",
- ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
- ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
- rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
- ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
- if (rc != LDAP_SUCCESS) {
- warningx("unable to initialize SSL cert and key db: %s",
- ldapssl_err2string(rc));
- goto done;
+ if (ldap_conf.tls_keyfile) {
+ DPRINTF(("ldapssl_clientauth_init(%s, %s)",
+ ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
+ ldap_conf.tls_keyfile), 2);
+ rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
+ 1, ldap_conf.tls_keyfile, NULL);
+ if (rc != LDAP_SUCCESS) {
+ warningx("unable to initialize SSL cert and key db: %s",
+ ldapssl_err2string(rc));
+ goto done;
+ }
+ } else {
+ DPRINTF(("ldapssl_client_init(%s)",
+ ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL"), 2);
+ rc = ldapssl_client_init(ldap_conf.tls_certfile, NULL);
+ if (rc != LDAP_SUCCESS) {
+ warningx("unable to initialize SSL client: %s",
+ ldapssl_err2string(rc));
+ goto done;
+ }
}
DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2);
More information about the sudo-users
mailing list