[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help

M. Fija fija00 at gmail.com
Wed May 27 13:14:36 EDT 2009


Hello,

I've compiled sudo-1.7.1 on Solaris 10 with PAM and (solaris native) LDAP
support.
And sudo was built without errors and works as expected when using ldap but
fails with ldaps:

> sudo -l
LDAP Config Summary
===================
uri              ldap://myldapserver
ldap_version     3
sudoers_base     ou=sudoers,dc=example,dc=fr
binddn           cn=host1,ou=systems,dc=example,dc=fr
bindpw           host1pwd
ssl              on
tls_checkpeer    (yes)
tls_certfile     /var/ldap/cert8.db
===================
sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL)
sudo: unable to initialize SSL cert and key db: security library: bad
database.
sudo: unable to initialize LDAP: Unknown error
Password:


Sudo was build with the following command:
CC="gcc -static-libgcc" ./configure \
        --prefix=/usr \
        --exec-prefix=/usr \
        --sysconfdir=/etc \
        --localstatedir=/var \
        --datarootdir=/usr/share \
        --with-logging=syslog --with-logfac=authpriv \
        --with-editor=/usr/bin/vi --with-env-editor \
        --with-ignore-dot --with-tty-tickets \
        --with-pam --with-nsswitch \
        --with-ldap \
        --with-ldap-conf-file=/etc/ldap.conf \
        --with-ldap-secret-file=/etc/ldap.secret

Here is my /etc/ldap.conf:

uri             ldap://myldapserver
base            dc=example,dc=fr
sudoers_base    ou=sudoers,dc=example,dc=fr
binddn          cn=host1,ou=systems,dc=example,dc=fr
bindpw          host1pwd
tls_checkpeer   yes
ssl             on
#tls_cacertfile  /var/ldap/cert8.db
tls_cert        /var/ldap/cert8.db
#tls_key                /var/ldap/key3.db
sudoers_debug 2

The file /var/ldap/cert8.db was created for the solaris ldap client with
/usr/sfw/bin/certutil command.
On the LDAP server side (openldap 2.3/Redhat ES3), TLS parameters are:

TLSCACertificateFile    /etc/ssl/certs/CAcerts.pem
TLSCertificateFile      /etc/ssl/private/myldapserver.crt
TLSCertificateKeyFile   /etc/ssl/private/myldapserver.key
TLSVerifyClient         never
TLSCipherSuite          SSLv3

It seems there are no problem with PAM as i can see connexion and search
operations honored successfully by the ldap server.

Thanks for any help.

Fija



More information about the sudo-users mailing list