[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help

M. Fija fija00 at gmail.com
Thu May 28 08:42:56 EDT 2009


Hello,

tls_checkpeer is enable in /etc/ldap.conf, but the result is the same if it
is disabled.
/var/ldap/cert8.db file is used by the solaris ldap client and i can use it
with ldapsearch command:

$ ldapsearch -v -Z -P /var/ldap/cert8.db -h myldapserver -p 636 -s base -b
"" 'objectclass=*'
ldapsearch: started Thu May 28 14:23:39 2009

ldap_init( myldapserver, 636 )
filter pattern: objectclass=*
returning: ALL
filter is: (objectclass=*)
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
1 matches

The ldap server log indicates the TLS connexion is established :
May 28 14:23:40 myldapserver slapd[21902]: conn=1360 fd=40 ACCEPT from
IP=xx.xx.xx.xx:36259 (IP=yy.yy.yy.yy:636)
May 28 14:23:40 myldapserver slapd[21902]: conn=1360 fd=40 TLS established
tls_ssf=128 ssf=128
May 28 14:23:40 myldapserver slapd[21902]: conn=1360 op=0 SRCH base=""
scope=0 deref=0 filter="(objectClass=*)"
May 28 14:23:40 myldapserver slapd[21902]: conn=1360 op=0 SEARCH RESULT
tag=101 err=0 nentries=1 text=
May 28 14:23:40 myldapserver slapd[21902]: conn=1360 op=1 UNBIND
May 28 14:23:40 myldapserver slapd[21902]: conn=1360 fd=40 closed ()

It looks like the message "sudo: unable to initialize SSL cert and key db:
security library: bad" indicates that "tls_cert" and "tls_key" are mandatory
to use SSL with sudo.
It seems that "tls_cacertfile" parameter is ignored.

Fija



2009/5/27 Todd C. Miller <Todd.Miller at courtesan.com>

> In message <b5ff222b0905271014t216924aco502816dbf9d3c62a at mail.gmail.com>
>        so spake "M. Fija" (fija00):
>
> > > sudo -l
> > LDAP Config Summary
> > ===================
> > uri              ldap://myldapserver
> > ldap_version     3
> > sudoers_base     ou=sudoers,dc=example,dc=fr
> > binddn           cn=host1,ou=systems,dc=example,dc=fr
> > bindpw           host1pwd
> > ssl              on
> > tls_checkpeer    (yes)
> > tls_certfile     /var/ldap/cert8.db
> > ===================
> > sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL)
> > sudo: unable to initialize SSL cert and key db: security library: bad
> > database.
> > sudo: unable to initialize LDAP: Unknown error
> > Password:
>
> It looks like you have tls_checkpeer enabled but no (or invalid?)
> /var/ldap/cert8.db file.
>
>  - todd
>



More information about the sudo-users mailing list