[sudo-users] Help needed with sudo ssl and HPUX
Todd C. Miller
Todd.Miller at courtesan.com
Fri May 28 17:46:12 EDT 2010
Hmm, in your working example, ssl=off whereas in the non-working,
ssl=start_tls. Does your ldap server support ldaps (SSL over port
636)? If so, does that work?
- todd
In message <AANLkTilwhv3thy_ATBgSVdyK0RFg9mX0cw0Ch5YLSpPX at mail.gmail.com>
so spake Eric Freeman (eric.freeman):
> I am running sudo 1.7.2 on HP-UX 11.11. Sudo works when not using SSL but
> when using SSL it fails. The odd thing is it works on another HP-UX machine
> and the same version of sudo. I have also copied the /etc/ldap.conf file
> from the working machine to the non working machine.
>
> When I am root and type sudo -v it appears to talk SSL but a regular user
> fails. The regular user also fails SSL when issuing a sudo command with an
> actual command.
>
>
> Thank you.
> Below is the error and one that worked with root:
>
> $ sudo lastb
> LDAP Config Summary
> ===================
> uri ldap://10.20.2.165
> ldap_version 3
> sudoers_base ou=xxxxxxx
> binddn cn=xxxxxx
> bindpw xxxxx
> bind_timelimit 30000
> timelimit 30
> ssl start_tls
> tls_checkpeer (no)
> ===================
> sudo: ldap_initialize(ld, ldap://10.20.2.165)
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: tls_checkpeer -> 0
> sudo: ldap_set_option: timelimit -> 30
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
>
> sudo: ldap_start_tls_s(): Connect error
>
>
>
> Working with root:
>
> dbtest:/ # sudo -v
> LDAP Config Summary
> ===================
> uri ldap://10.20.2.165
> ldap_version 3
> sudoers_base ou=xxxxx
> binddn cn=xxxxx
> bindpw xxxx
> bind_timelimit 30000
> timelimit 30
> ssl off
> tls_checkpeer (no)
> ===================
> sudo: ldap_initialize(ld, ldap://10.20.2.165)
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: tls_checkpeer -> 0
> sudo: ldap_set_option: timelimit -> 30
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
>
> sudo: ldap_sasl_bind_s() ok
> sudo: found:cn=defaults,ou=SUDOersDBTEST,ou=SUDOers,ou=Services,o=NAM
> sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.ldap.log'
> sudo: ldap sudoOption: 'log_year'
> sudo: user_matches=0
> sudo: host_matches=0
> sudo: sudo_ldap_lookup(53)=0x82
>
>
> $ more /etc/ldap.conf
> uri ldap://10.20.2.165
> ssl start_tls
> TLS_CHECKPEER off
> sudoers_base ou=xxxxx
> BINDDN cn=xxxx
> BINDPW xxxx
> timelimit 30
> bind_timelimit 30
> TLS_REQCERT never
> sudoers_debug 2
>
>
>
> This e-mail is intended only for the named person or entity to which
> it is addressed and contains valuable business information that is
> privileged, confidential and/or otherwise protected from disclosure.
> Dissemination, distribution or copying of this e-mail or the
> information herein by anyone other than the intended recipient, or
> an employee or agent responsible for delivering the message to the
> intended recipient, is strictly prohibited. All contents are the
> copyright property of TBWA Worldwide, its agencies or a client of
> such agencies. If you are not the intended recipient, you are
> nevertheless bound to respect the worldwide legal rights of TBWA
> Worldwide, its agencies and its clients. We require that unintended
> recipients delete the e-mail and destroy all electronic copies in
> their system, retaining no copies in any media.If you have received
> this e-mail in error, please immediately notify us via e-mail to
> disclaimer at tbwaworld.com. We appreciate your cooperation.
>
> We make no warranties as to the accuracy or completeness of this
> e-mail and accept no liability for its content or use. Any opinions
> expressed in this e-mail are those of the author and do not
> necessarily reflect the opinions of TBWA Worldwide or any of its
> agencies or affiliates.
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list