[sudo-users] Solaris 8 native LDAP libraries and SSL.
Fred Clausen
ftc at evilgeniuses.org.uk
Mon May 2 09:12:09 EDT 2005
Hello again all,
Aaron Spangler wrote:
> Fred, Let us know if the patch turns on SSL. Sun had promised me a
> long time ago that their SSL patch would be equivilent to Solaris 9's
> LDAP + SSL implementation. I have not had a chance to verify it
> though.
Sorry to take so long to respond but had a chance to test this now. I can't
actually see any difference in behaviour after patch 108993-45 is installed;
works with non-SSL on port 389 using the "host" syntax but otherwise not.
As I see it, compiling sudo with the native LDAP libs will make sudo use the
/var/ldap/ldap_client_file configuration for authenticating users, which
appears to be working with SSL as authenticating a user is simply passed
onto PAM.
However, using ldap.conf for looking up group membership, sudoUser's and
the various options does not work when I specify the SSL port and use
"ssl on" in ldap.conf. Interestingly, the information sent to port 636
appears to be encrypted.
I am not sure how Sudo uses the native libs, maybe it is sending information
to the LDAP functions in the native libs that only OpenLDAP understands? That
might explain why the "URI" syntax does not work and it defaults to localhost.
The proper SSL support may now be present in the native libs but I am not sure
how to take advantage of it.
Thanks again,
Fred.
More information about the sudo-users
mailing list