[sudo-users] Help needed with sudo ssl and HPUX
Eric Freeman
eric.freeman at tbwachiat.com
Thu May 27 12:12:26 EDT 2010
I am running sudo 1.7.2 on HP-UX 11.11. Sudo works when not using SSL but
when using SSL it fails. The odd thing is it works on another HP-UX machine
and the same version of sudo. I have also copied the /etc/ldap.conf file
from the working machine to the non working machine.
When I am root and type sudo -v it appears to talk SSL but a regular user
fails. The regular user also fails SSL when issuing a sudo command with an
actual command.
Thank you.
Below is the error and one that worked with root:
$ sudo lastb
LDAP Config Summary
===================
uri ldap://10.20.2.165
ldap_version 3
sudoers_base ou=xxxxxxx
binddn cn=xxxxxx
bindpw xxxxx
bind_timelimit 30000
timelimit 30
ssl start_tls
tls_checkpeer (no)
===================
sudo: ldap_initialize(ld, ldap://10.20.2.165)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
sudo: ldap_start_tls_s(): Connect error
Working with root:
dbtest:/ # sudo -v
LDAP Config Summary
===================
uri ldap://10.20.2.165
ldap_version 3
sudoers_base ou=xxxxx
binddn cn=xxxxx
bindpw xxxx
bind_timelimit 30000
timelimit 30
ssl off
tls_checkpeer (no)
===================
sudo: ldap_initialize(ld, ldap://10.20.2.165)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOersDBTEST,ou=SUDOers,ou=Services,o=NAM
sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.ldap.log'
sudo: ldap sudoOption: 'log_year'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(53)=0x82
$ more /etc/ldap.conf
uri ldap://10.20.2.165
ssl start_tls
TLS_CHECKPEER off
sudoers_base ou=xxxxx
BINDDN cn=xxxx
BINDPW xxxx
timelimit 30
bind_timelimit 30
TLS_REQCERT never
sudoers_debug 2
This e-mail is intended only for the named person or entity to which
it is addressed and contains valuable business information that is
privileged, confidential and/or otherwise protected from disclosure.
Dissemination, distribution or copying of this e-mail or the
information herein by anyone other than the intended recipient, or
an employee or agent responsible for delivering the message to the
intended recipient, is strictly prohibited. All contents are the
copyright property of TBWA Worldwide, its agencies or a client of
such agencies. If you are not the intended recipient, you are
nevertheless bound to respect the worldwide legal rights of TBWA
Worldwide, its agencies and its clients. We require that unintended
recipients delete the e-mail and destroy all electronic copies in
their system, retaining no copies in any media.If you have received
this e-mail in error, please immediately notify us via e-mail to
disclaimer at tbwaworld.com. We appreciate your cooperation.
We make no warranties as to the accuracy or completeness of this
e-mail and accept no liability for its content or use. Any opinions
expressed in this e-mail are those of the author and do not
necessarily reflect the opinions of TBWA Worldwide or any of its
agencies or affiliates.
More information about the sudo-users
mailing list