[sudo-users] Problem with Sudo-LDAP

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Thu Mar 23 11:03:54 EST 2006


Hi Jayson,

In the LDAP Config Summary, it says:
ssl	(no)
Whereas later, you mention that LDAPS is used.
That sounds a bit like a contradiction.

Is SSL/LDAPS used succesfully if a user logs into these systems? If that's the case, encryption should work.

You might consider turning off SSL for SUDO traffic. It's nice, but AFAIK, only the LDAP client connection sends passwords, not the SUDO client connection.

At my company, SSL is used for encrypting the LDAP client connection (for user authentication), not for the sudo connection.

BTW: do not exclude the possibility that it's just a bug in your software. On Solaris 8 for example, it took numerous updates and fixes before the LDAP client finally supported SSL correctly. You may want to check with your supplier, if you're sure there's no mistake in your configuration.

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,


Huibert Kivits
ING

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4



-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Jayson Henkel
Verzonden: dinsdag 21 maart 2006 17:15
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] Problem with Sudo-LDAP



        I'm currently
        trying to implement the sudo-ldap modification to sudo. This
        will be a
        big benefit to myself. However, I am having some difficulties
        implementing it.
        
        I have turned debugging on and get the following information
        when I run
        sudo from root:
        
        LDAP Config Summary
        ===================
        uri          ldaps://ldap.sterlingcrane.ca
        ldaps://ldap2.sterlingcrane.ca
        ldap_version 3
        sudoers_base ou=sudoers,ou=roles,dc=sterlingcrane,dc=ca
        binddn       (anonymous)
        bindpw       (anonymous)
        ssl          (no)
        ===================
        ldap_initialize(ld,ldaps://ldap.sterlingcrane.ca
        ldaps://ldap2.sterlingcrane.ca)
        ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
        ldap_simple_bind_s()=81 : Can't contact LDAP server
        usage: sudo -K | -L | -V | -h | -k | -l | -v
        usage: sudo [-HPSb] [-p prompt] [-u username|#uid]
                    { -e file [...] | -i | -s | <command> }
        
        
        
        When I run it from a normal user I receive the following.
        jhenkel at ruto:/usr/share/doc/sudo-ldap$ sudo passwd foo
        sudo: uid 1039 does not exist in the passwd file!
        jhenkel at ruto:/usr/share/doc/sudo-ldap$ sendmail: fatal: no login
        name
        found for user ID 1039
        
        
        
        However, please review the following:
        
        jhenkel at ruto:/usr/share/doc/sudo-ldap$ getent passwd 1039
        jhenkel:x:1039:1000:Jayson Henkel:/home/jhenkel:/bin/bash
        
        Keep in mind, all my user information is in ldap and no files
        are local,
        therefor ldap is working. See below for examples of both TLS and
        LDAPS
        
        jhenkel at ruto:/usr/share/doc/sudo-ldap$ ldapsearch -x -ZZ  -h
        ldap.sterlingcrane.ca uid=jhenkel dn
        # extended LDIF
        #
        # LDAPv3
        # base <> with scope sub
        # filter: uid=jhenkel
        # requesting: dn
        #
        
        # jhenkel, staff, people, sterlingcrane.ca
        dn: uid=jhenkel,ou=staff,ou=people,dc=sterlingcrane,dc=ca
        
        # search result
        search: 3
        result: 0 Success
        
        # numResponses: 2
        # numEntries: 1
        jhenkel at ruto:/usr/share/doc/sudo-ldap$ ldapsearch -x -H
        ldaps://ldap.sterlingcrane.ca uid=jhenkel dn
        # extended LDIF
        #
        # LDAPv3
        # base <> with scope sub
        # filter: uid=jhenkel
        # requesting: dn
        #
        
        # jhenkel, staff, people, sterlingcrane.ca
        dn: uid=jhenkel,ou=staff,ou=people,dc=sterlingcrane,dc=ca
        
        # search result
        search: 2
        result: 0 Success
        
        # numResponses: 2
        # numEntries: 1
        jhenkel at ruto:/usr/share/doc/sudo-ldap$
        
        
        When I sniff traffic on the ldap interface, I can clearly see
        that when
        I type sudo that ldap traffic is generated on the ldaps (636)
        port.
        
        
        Here's my ldap.conf too in case it helps.
        
        
        
        BASE    dc=sterlingcrane,dc=ca
        URI     ldaps://ldap.sterlingcrane.ca
        ldaps://ldap2.sterlingcrane.ca
        #URI    ldap://localhost
        TLS_CACERT /etc/ssl/certs/CA.crt
        #TLS_REQCERT allow
        
        #SIZELIMIT      12
        #TIMELIMIT      15
        #DEREF          never
        
        #SUDO Control
        sudoers_base   ou=sudoers,ou=roles,dc=sterlingcrane,dc=ca
        sudoers_debug 2
        
        
        
        
        Can you offer any advice on how to resolve this?
        Thanks in advance..
-- 
Regards,

Jayson D. Henkel
Systems Manager

(Tel:  +1 (780) 440-4434)
(Fax:  +1 (780) 440-1951)
(Cell: +1 (780) 886-8941)
(E-Mail: jhenkel at sterlingcrane.com)

Sterling Crane
P.O. Box 8610. Station South
Edmonton, Alberta
Canada. T6E 6R2

------------------------------------------------------------------------
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this message you are hereby notified that any use, review, retransmission , dissemination,distribution, reproduction or any action taken in reliance upon this message is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of the company.



____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------





More information about the sudo-users mailing list