[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help [SOLVED]
M. Fija
fija00 at gmail.com
Fri May 29 03:57:14 EDT 2009
There is something buggy with solaris 10
ldapssl_clientauth_init()/ldapssl_client_init() functions.
I've trussed sudo and found this:
26236: stat("/var/ldap/cert8.db/cert8.db", 0xFFBFF0E8) Err#20 ENOTDIR
26236: open("/var/ldap/cert8.db/cert8.db", O_RDONLY) Err#20 ENOTDIR
26236: stat("/var/ldap/cert8.db/cert7.db", 0xFFBFF0E8) Err#20 ENOTDIR
26236: open("/var/ldap/cert8.db/cert7.db", O_RDONLY) Err#20 ENOTDIR
26236:
open("/usr/lib/locale/en_US.ISO8859-15/LC_MESSAGES/SUNW_OST_OSLIB.mo",
O_RDONLY) Err#2 ENOENT
Note the appended cert{8,7}.db name to the certificate db file name.
I've then changed le parameter tls_cert file to /var/ldap:
...
#tls_cert /var/ldap/cert8.db
tls_cert /var/ldap/
...
... and that made sudo happy:
$ sudo -l
LDAP Config Summary
===================
uri ldaps://myldapserver
ldap_version 3
sudoers_base ou=sudoers,dc=example,dc=fr
binddn cn=clxb1ad,ou=systems,dc=example,dc=fr
bindpw edfgt54r
ssl on
tls_checkpeer (yes)
tls_certfile /var/ldap/
===================
sudo: ldapssl_clientauth_init(/var/ldap/, NULL)
sudo: ldapssl_init(myldapserver:636, 389, 1)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_simple_bind_s() ok
sudo: found:cn=defaults,ou=sudoers,dc=example,dc=fr
Fija
2009/5/28 M. Fija <fija00 at gmail.com>
> Thank you for the patch, but unfortunately the result is the same:
>
> $ sudo -l
> LDAP Config Summary
> ===================
> uri ldaps://myldapserver
> ldap_version 3
> sudoers_base ou=sudoers,dc=example,dc=fr
> binddn cn=host1,ou=systems,dc=example,dc=fr
> bindpw host1pwd
> ssl on
> tls_checkpeer (yes)
> tls_certfile /var/ldap/cert8.db
> ===================
> sudo: ldapssl_client_init(/var/ldap/cert8.db)
> sudo: unable to initialize SSL client: security library: bad database.
> sudo: unable to initialize LDAP: Unknown error
> Password:
>
> Fija
>
>
> 2009/5/28 Todd C. Miller <Todd.Miller at courtesan.com>
>
> In message <b5ff222b0905280542h646247c2wdc517f2806700ce2 at mail.gmail.com>
>> so spake "M. Fija" (fija00):
>>
>> > It looks like the message "sudo: unable to initialize SSL cert and key
>> db:
>> > security library: bad" indicates that "tls_cert" and "tls_key" are
>> mandatory
>> > to use SSL with sudo.
>>
>> They should not be. The LDAP API is supposed to deal with them not
>> being specified. Please try the diff below to see if it helps.
>>
>> > It seems that "tls_cacertfile" parameter is ignored.
>>
>> There is no way to specify a separate CA cert with the Sun LDAP API.
>>
>> - todd
>>
>> Index: ldap.c
>> ===================================================================
>> RCS file: /home/cvs/courtesan/sudo/ldap.c,v
>> retrieving revision 1.107
>> diff -u -p -u -r1.107 ldap.c
>> --- ldap.c 25 May 2009 12:02:41 -0000 1.107
>> +++ ldap.c 28 May 2009 13:45:51 -0000
>> @@ -381,15 +381,26 @@ sudo_ldap_init(ldp, host, port)
>>
>> #ifdef HAVE_LDAPSSL_INIT
>> if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
>> - DPRINTF(("ldapssl_clientauth_init(%s, %s)",
>> - ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
>> - ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
>> - rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
>> - ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
>> - if (rc != LDAP_SUCCESS) {
>> - warningx("unable to initialize SSL cert and key db: %s",
>> - ldapssl_err2string(rc));
>> - goto done;
>> + if (ldap_conf.tls_keyfile) {
>> + DPRINTF(("ldapssl_clientauth_init(%s, %s)",
>> + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
>> + ldap_conf.tls_keyfile), 2);
>> + rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
>> + 1, ldap_conf.tls_keyfile, NULL);
>> + if (rc != LDAP_SUCCESS) {
>> + warningx("unable to initialize SSL cert and key db: %s",
>> + ldapssl_err2string(rc));
>> + goto done;
>> + }
>> + } else {
>> + DPRINTF(("ldapssl_client_init(%s)",
>> + ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL"),
>> 2);
>> + rc = ldapssl_client_init(ldap_conf.tls_certfile, NULL);
>> + if (rc != LDAP_SUCCESS) {
>> + warningx("unable to initialize SSL client: %s",
>> + ldapssl_err2string(rc));
>> + goto done;
>> + }
>> }
>>
>> DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2);
>>
>
>
More information about the sudo-users
mailing list