[sudo-users] sudo SSL Solaris

Macleod, Paul paul.macleod at eds.com
Wed Jun 14 09:35:07 EDT 2006 

Hi B,

Short answer as I worked on this exact problem circa this time last year
in a proof of concept I was engaged in.

It's not possible.

The API's within sudo to request an SSL connection are not available to
native solaris.  I got around this by using the mozilla sdk and some
code amendments to the ldap.c module.

These I submitted last year, but believe nothing was followed through
with it.

Regards,

-P.


-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of
Beate.Kleymann at HVBIS.com
Sent: 14 June 2006 13:31
To: sudo-users at sudo.ws
Subject: [sudo-users] sudo SSL Solaris


Hello !

I try to get sudo with pam and ldap support plus ssl working.
We have Solaris 8 and 9 native clients.
Users authenticate using Sun One Directory Server 5.2

Next we would like to migrate our sudoers information into the Directory
Server.

I was able to compile sudo-1.6.8p8 with ldap and pam support:
# ./configure --with-ldap=/usr --with-pam

Everything works fine as long as I don't use SSL.
If I turn on SSL in the /etc/ldap.conf sudo will not work any more.

I tried different Entries in the ldap.conf
bash-2.05$ more /etc/ldap.conf 
host ldaptest.intranet.hypovereinsbank.de
port 636
sudoers_base ou=sudoers,dc=tsy2,dc=hvb,dc=de
binddn uid=XXXXXX,ou=People,dc=hvb,dc=de
bindpw XXXXXX
TLS_REQCERT allow
tls_checkpeer yes
tls_cacertdir /var/ldap
#tls_cert /var/ldap/cert7.db
#tls_key /var/ldap/key3.db
sudoers_debug 2

Using SSL the sudo will hang. It is not reading out the SSL Parameters
from the ldap.conf file.

bash-2.05$ ./sudo /usr/sbin/ifconfig -a
LDAP Config Summary
===================
host         ldaptest.intranet.hypovereinsbank.de
port         636
ldap_version 3
sudoers_base ou=sudoers,dc=tsy2,dc=hvb,dc=de
binddn       uid=XXXXXX,ou=People,dc=hvb,dc=de
bindpw       XXXXXX
===================
ldap_init(ldaptest.intranet.hypovereinsbank.de,636)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)

libs used:
bash-2.05$ ldd ./sudo
        libpam.so.1 =>   /usr/lib/libpam.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libldap.so.5 =>  /usr/lib/libldap.so.5
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libcmd.so.1 =>   /usr/lib/libcmd.so.1
        librt.so.1 =>    /usr/lib/librt.so.1
        libmd5.so.1 =>   /usr/lib/libmd5.so.1
        libmp.so.2 =>    /usr/lib/libmp.so.2
        libaio.so.1 =>   /usr/lib/libaio.so.1
        /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
        /usr/platform/SUNW,Ultra-5_10/lib/libmd5_psr.so.1


I tried to find a solution in the mailing list archive, but I'm still
not sure if it is possible to use SSL with native solaris ldap clients
or not.
Security is very strikt and I'm afraid we are not allowed to transfer
sudo entries over the network without using SSL.
I'm quite familiar with the Directory Server but I don't have enough
knowledge how sudo works.

Your help would be much appreciated.

Best Regards,
Beate


____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list