[sudo-users] sudo SSL Solaris

Macleod, Paul paul.macleod at eds.com
Wed Jun 14 09:35:07 EDT 2006

Hi B,

Short answer as I worked on this exact problem circa this time last year
in a proof of concept I was engaged in.

It's not possible.

The API's within sudo to request an SSL connection are not available to
native solaris.  I got around this by using the mozilla sdk and some
code amendments to the ldap.c module.

These I submitted last year, but believe nothing was followed through
with it.



-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of
Beate.Kleymann at HVBIS.com
Sent: 14 June 2006 13:31
To: sudo-users at sudo.ws
Subject: [sudo-users] sudo SSL Solaris

Hello !

I try to get sudo with pam and ldap support plus ssl working.
We have Solaris 8 and 9 native clients.
Users authenticate using Sun One Directory Server 5.2

Next we would like to migrate our sudoers information into the Directory

I was able to compile sudo-1.6.8p8 with ldap and pam support:
# ./configure --with-ldap=/usr --with-pam

Everything works fine as long as I don't use SSL.
If I turn on SSL in the /etc/ldap.conf sudo will not work any more.

I tried different Entries in the ldap.conf
bash-2.05$ more /etc/ldap.conf 
host ldaptest.intranet.hypovereinsbank.de
port 636
sudoers_base ou=sudoers,dc=tsy2,dc=hvb,dc=de
binddn uid=XXXXXX,ou=People,dc=hvb,dc=de
bindpw XXXXXX
tls_checkpeer yes
tls_cacertdir /var/ldap
#tls_cert /var/ldap/cert7.db
#tls_key /var/ldap/key3.db
sudoers_debug 2

Using SSL the sudo will hang. It is not reading out the SSL Parameters
from the ldap.conf file.

bash-2.05$ ./sudo /usr/sbin/ifconfig -a
LDAP Config Summary
host         ldaptest.intranet.hypovereinsbank.de
port         636
ldap_version 3
sudoers_base ou=sudoers,dc=tsy2,dc=hvb,dc=de
binddn       uid=XXXXXX,ou=People,dc=hvb,dc=de
bindpw       XXXXXX

libs used:
bash-2.05$ ldd ./sudo
        libpam.so.1 =>   /usr/lib/libpam.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libldap.so.5 =>  /usr/lib/libldap.so.5
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libcmd.so.1 =>   /usr/lib/libcmd.so.1
        librt.so.1 =>    /usr/lib/librt.so.1
        libmd5.so.1 =>   /usr/lib/libmd5.so.1
        libmp.so.2 =>    /usr/lib/libmp.so.2
        libaio.so.1 =>   /usr/lib/libaio.so.1

I tried to find a solution in the mailing list archive, but I'm still
not sure if it is possible to use SSL with native solaris ldap clients
or not.
Security is very strikt and I'm afraid we are not allowed to transfer
sudo entries over the network without using SSL.
I'm quite familiar with the Directory Server but I don't have enough
knowledge how sudo works.

Your help would be much appreciated.

Best Regards,

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list