[sudo-users] LDAP and TLS certificates
David Magda
dmagda at ee.ryerson.ca
Tue Sep 25 09:15:06 MDT 2018
[Please CC as I am not subscribed. Not sure if this is for -users or
-workers.]
Hello,
On my Debian 8 ("jessie") system, I had the following in
/etc/sudo-ldap.conf (which is a link to /etc/ldap/ldap.conf):
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT never
URI ldap://some.IP/
I then changed the "ldap://" to "ldaps://" and got the following output
(debug level 2):
sudo: ldap_sasl_bind_s(): Can't contact LDAP server
I tried going back to "ldap://" and using
SSL start_tls
and got:
sudo: ldap_start_tls_s(): Connect error
After some fiddling, I added:
TLS_CHECKPEER no
and things worked.
So sudoers.ldap(8) [1] mentions TLS_CHECKPEER, but ldap.conf(5) [2]
mentions TLS_REQCERT; the OpenLDAP folks make no mention of the CHECKPEER
[3]. It is a bit confusing given that CHECKPEER seems to be a sudo-ism,
but since "SUDO" is not in the name, it gives the impression that it is an
"universal" option. Ditto for the "SSL", also a sudo-ism. Can a note be
added to each option in the manual page noting it as such?
In general, can sudo(8) check for the presence of "TLS_REQCERT", and if
its value is "never" or "allow", act as if "TLS_CHECKPEER" is "no"? (The
other options are "try" and "demand | hard"; see [2].)
Regards,
David
[1] https://manpages.debian.org/jessie/sudo-ldap/sudoers.ldap.5.en.html
[2] https://manpages.debian.org/jessie/libldap-2.4-2/ldap.conf.5.en.html
[3] https://www.openldap.org/software/man.cgi?query=ldap.conf
More information about the sudo-users
mailing list