[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help
M. Fija
fija00 at gmail.com
Wed May 27 13:14:36 EDT 2009
Hello,
I've compiled sudo-1.7.1 on Solaris 10 with PAM and (solaris native) LDAP
support.
And sudo was built without errors and works as expected when using ldap but
fails with ldaps:
> sudo -l
LDAP Config Summary
===================
uri ldap://myldapserver
ldap_version 3
sudoers_base ou=sudoers,dc=example,dc=fr
binddn cn=host1,ou=systems,dc=example,dc=fr
bindpw host1pwd
ssl on
tls_checkpeer (yes)
tls_certfile /var/ldap/cert8.db
===================
sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL)
sudo: unable to initialize SSL cert and key db: security library: bad
database.
sudo: unable to initialize LDAP: Unknown error
Password:
Sudo was build with the following command:
CC="gcc -static-libgcc" ./configure \
--prefix=/usr \
--exec-prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--datarootdir=/usr/share \
--with-logging=syslog --with-logfac=authpriv \
--with-editor=/usr/bin/vi --with-env-editor \
--with-ignore-dot --with-tty-tickets \
--with-pam --with-nsswitch \
--with-ldap \
--with-ldap-conf-file=/etc/ldap.conf \
--with-ldap-secret-file=/etc/ldap.secret
Here is my /etc/ldap.conf:
uri ldap://myldapserver
base dc=example,dc=fr
sudoers_base ou=sudoers,dc=example,dc=fr
binddn cn=host1,ou=systems,dc=example,dc=fr
bindpw host1pwd
tls_checkpeer yes
ssl on
#tls_cacertfile /var/ldap/cert8.db
tls_cert /var/ldap/cert8.db
#tls_key /var/ldap/key3.db
sudoers_debug 2
The file /var/ldap/cert8.db was created for the solaris ldap client with
/usr/sfw/bin/certutil command.
On the LDAP server side (openldap 2.3/Redhat ES3), TLS parameters are:
TLSCACertificateFile /etc/ssl/certs/CAcerts.pem
TLSCertificateFile /etc/ssl/private/myldapserver.crt
TLSCertificateKeyFile /etc/ssl/private/myldapserver.key
TLSVerifyClient never
TLSCipherSuite SSLv3
It seems there are no problem with PAM as i can see connexion and search
operations honored successfully by the ldap server.
Thanks for any help.
Fija
More information about the sudo-users
mailing list