[sudo-users] Sudo LDAP+TLS in 1.7.2
Tony G.
tonysk8 at gmail.com
Mon Sep 20 18:42:27 EDT 2010
Hi Sudo users,
I've been using sudo with ldap+tls without issues until today when some
servers got the update of the package sudo-1.7.2p1-8.el5_5; those were using
sudo-1.6.9p17-5.el5.
On /var/log/messages I got:
sudo: pam_ldap: ldap_starttls_s: Connect error
I went into the changelog http://www.sudo.ws/sudo/stable.html#1.7.2p1 and
found that the section "Major changes between version 1.6.9p19 and 1.7.0:"
showed something that I thought might be the reason of my issue:
Sudo now ignores user .ldaprc files as well as system LDAP defaults. All
LDAP configuration is now in /etc/ldap.conf (or whichever file was specified
by configure's --with-ldap-conf-file option). If you are using TLS, you may
now need to specify:
tls_checkpeer no
in sudo's ldap.conf unless ldap.conf references a valid certificate
authority file(s).
My LDAP config uses the default value of tls_checkpeer which is *yes* and
that setting fails with the version 1.7.2 if I set the tls_checkpeer no it
works.
Any help is appreciated.
*tls_checkpeer yes*
[test at test ~]$ sudo su -
LDAP Config Summary
===================
uri ldap://ldaptls.example.com
ldap_version 3
sudoers_base ou=SUDOers,dc=example,dc=com
binddn cn=bind,dc=example,dc=com
bindpw mypassword
bind_timelimit 5000
timelimit 15
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
===================
sudo: ldap_initialize(ld, ldap://ldaptls.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_start_tls_s(): Connect error
[sudo] password for test:
*tls_checkpeer no*
[test at test ~]$ sudo su -
LDAP Config Summary
===================
uri ldap://ldaptls.example.com
ldap_version 3
sudoers_base ou=SUDOers,dc=example,dc=com
binddn cn=binduser,dc=example,dc=com
bindpw mypassword
bind_timelimit 5000
timelimit 15
ssl start_tls
tls_checkpeer (no)
tls_cacertdir /etc/openldap/cacerts
===================
sudo: ldap_initialize(ld, ldap://ldaptls.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=example,dc=com
sudo: ldap sudoOption: '!requiretty'
sudo: ldap sudoOption: '!listpw'
sudo: ldap search '(|(sudoUser=test)(sudoUser=%test)(sudoUser=ALL))'
sudo: found:cn=full_root,ou=SUDOers,dc=example,dc=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoRunAsUser 'ALL' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: ldap sudoOption: '!authenticate'
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
*/etc/ldap.conf*
base dc=example,dc=com
bind_policy soft
bind_timelimit 5
binddn cn=bind,dc=example,dc=com
bindpw mypassword
idle_timelimit 600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,
pam_password md5
ssl start_tls
timelimit 15
uri ldap://ldaptls.example.com
tls_cacertdir /etc/openldap/cacerts
sudoers_base ou=SUDOers,dc=example,dc=com
*/root/.ldaprc*
tls_cert /etc/openldap/cacerts/cert.pem
tls_key /etc/openldap/cacerts/key.pem
*/etc/openldap/ldap.conf*
uri ldap://127.0.0.1/ ldap://ldaptls.example.com
base dc=example,dc=com
tls_cacert /etc/openldap/cacerts/ca.pem
tls_reqcert demand
timelimit 5
Thanks
--
Tony
http://blog.tonyskapunk.net
More information about the sudo-users
mailing list