[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help
M. Fija
fija00 at gmail.com
Thu May 28 11:26:22 EDT 2009
Thank you for the patch, but unfortunately the result is the same:
$ sudo -l
LDAP Config Summary
===================
uri ldaps://myldapserver
ldap_version 3
sudoers_base ou=sudoers,dc=example,dc=fr
binddn cn=host1,ou=systems,dc=example,dc=fr
bindpw host1pwd
ssl on
tls_checkpeer (yes)
tls_certfile /var/ldap/cert8.db
===================
sudo: ldapssl_client_init(/var/ldap/cert8.db)
sudo: unable to initialize SSL client: security library: bad database.
sudo: unable to initialize LDAP: Unknown error
Password:
Fija
2009/5/28 Todd C. Miller <Todd.Miller at courtesan.com>
> In message <b5ff222b0905280542h646247c2wdc517f2806700ce2 at mail.gmail.com>
> so spake "M. Fija" (fija00):
>
> > It looks like the message "sudo: unable to initialize SSL cert and key
> db:
> > security library: bad" indicates that "tls_cert" and "tls_key" are
> mandatory
> > to use SSL with sudo.
>
> They should not be. The LDAP API is supposed to deal with them not
> being specified. Please try the diff below to see if it helps.
>
> > It seems that "tls_cacertfile" parameter is ignored.
>
> There is no way to specify a separate CA cert with the Sun LDAP API.
>
> - todd
>
> Index: ldap.c
> ===================================================================
> RCS file: /home/cvs/courtesan/sudo/ldap.c,v
> retrieving revision 1.107
> diff -u -p -u -r1.107 ldap.c
> --- ldap.c 25 May 2009 12:02:41 -0000 1.107
> +++ ldap.c 28 May 2009 13:45:51 -0000
> @@ -381,15 +381,26 @@ sudo_ldap_init(ldp, host, port)
>
> #ifdef HAVE_LDAPSSL_INIT
> if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
> - DPRINTF(("ldapssl_clientauth_init(%s, %s)",
> - ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
> - ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
> - rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
> - ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
> - if (rc != LDAP_SUCCESS) {
> - warningx("unable to initialize SSL cert and key db: %s",
> - ldapssl_err2string(rc));
> - goto done;
> + if (ldap_conf.tls_keyfile) {
> + DPRINTF(("ldapssl_clientauth_init(%s, %s)",
> + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
> + ldap_conf.tls_keyfile), 2);
> + rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
> + 1, ldap_conf.tls_keyfile, NULL);
> + if (rc != LDAP_SUCCESS) {
> + warningx("unable to initialize SSL cert and key db: %s",
> + ldapssl_err2string(rc));
> + goto done;
> + }
> + } else {
> + DPRINTF(("ldapssl_client_init(%s)",
> + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL"),
> 2);
> + rc = ldapssl_client_init(ldap_conf.tls_certfile, NULL);
> + if (rc != LDAP_SUCCESS) {
> + warningx("unable to initialize SSL client: %s",
> + ldapssl_err2string(rc));
> + goto done;
> + }
> }
>
> DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2);
>
More information about the sudo-users
mailing list