[sudo-users] Solaris 8 native LDAP libraries and SSL.
Fred Clausen
ftc at evilgeniuses.org.uk
Mon Apr 25 04:30:42 EDT 2005
Hello everyone,
We have been testing Solaris 8 native libraries versus using the
OpenLDAP libraries for compiling a LDAP aware sudo. Using the native
libraries we can get sudo to work with LDAP but are unable to use SSL.
Also the specification of the host works differently, with native we
have to use the 'HOST' and 'PORT' syntax but with OpenLDAP we use the
'URI' syntax. For the native libs we use the following ./configure:
./configure --with-pam --with-ldap \
--with-ldap-conf-file=/usr/local/etc/ldap.conf \
--with-sysconfdir=/usr/local/etc
When SSL is disabled, sudo works, eg:
ldap_bind() ok
found:cn=defaults,ou=SUDOers,dc=example,dc=nl
ldap search
'(|(sudoUser=ftc)(sudoUser=%ftc)(sudoUser=%ftc)(sudoUser=%wheel)(sudoUser=ALL))'
found:cn=%wheel,ou=SUDOers,dc=example,dc=nl
Perfect Matched!
user_matches=-1
host_matches=-1
sudo_ldap_check(0)=0x02
Using the following config file:
host 10.31.12.64
sudoers_base ou=SUDOers,dc=example,dc=nl
sudoers_debug 1
then I enable SSL like so:
# Using uri ldaps://10.31.12.64 makes it query localhost because
# it appears not to understand the 'uri' syntax.
host 10.31.12.64
port 636
ssl yes
sudoers_base ou=SUDOers,dc=example,dc=nl
sudoers_debug 1
TLS_REQCERT allow
tls_checkpeer no
and get the following output:
ldap_simple_bind_s()=81 : Can't contact LDAP server
ftc is not in the sudoers file. This incident will be reported.
When using OpenLDAP, I compile sudo in the following manner:
export LD_LIBRARY_PATH="/usr/local/ssl/lib:/usr/local/openldap-libs-2.2.24/lib" \
&& LDFLAGS="-L /usr/local/openldap-libs-2.2.24/lib -L /usr/local/ssl/lib" \
CPPFLAGS="-I /usr/local/openldap-2.2.24/include" ./configure \
--prefix=/usr/local --with-pam --with-ldap \
--with-ldap-conf-file=/usr/local/etc/ldap.conf \
--sysconfdir=/usr/local/etc
I use the following config file:
uri ldaps://10.31.12.64
sudoers_base ou=SUDOers,dc=example,dc=nl
sudoers_debug 1
TLS_REQCERT allow
tls_checkpeer no
ldd confirms that the correct libraries are being used. When I use sudo I get the following
debug output:
ldap_bind() ok
found:cn=defaults,ou=SUDOers,dc=example,dc=nl
ldap search
'(|(sudoUser=ftc)(sudoUser=%ftc)(sudoUser=%ftc)(sudoUser=%wheel)(sudoUser=ALL))'
found:cn=%wheel,ou=SUDOers,dc=example,dc=nl
Perfect Matched!
user_matches=-1
host_matches=-1
sudo_ldap_check(0)=0x02
and it works as expected using SSL.
The following table summarises (hopefully it remains
intact in everybody's mail client):
-----------------------------------------------------------------
| Library | SSL | Server Specification | SSL Port Syntax |
-----------------------------------------------------------------
| Native | NO | HOST hostname | PORT 636 |
| OpenLDAP | YES | ldap://hostname | ldaps://hostname |
-----------------------------------------------------------------
We have successfully configured the system for authentication and
authorisation using the native libraries speaking SSL enabled LDAP to an
OpenLDAP server. Users can log in just fine. This was done using the
following site as a guide:
http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenLDAP%20for%20Solaris9.htm
If anyone has any hints as to how to get Sudo and native LDAP libs to
work together with SSL, it would be much appreciated.
Regards,
Fred.
More information about the sudo-users
mailing list