[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help

Todd C. Miller Todd.Miller at courtesan.com
Thu May 28 09:50:55 EDT 2009 

In message <b5ff222b0905280542h646247c2wdc517f2806700ce2 at mail.gmail.com>
	so spake "M. Fija" (fija00):

> It looks like the message "sudo: unable to initialize SSL cert and key db:
> security library: bad" indicates that "tls_cert" and "tls_key" are mandatory
> to use SSL with sudo.

They should not be.  The LDAP API is supposed to deal with them not
being specified.  Please try the diff below to see if it helps.

> It seems that "tls_cacertfile" parameter is ignored.

There is no way to specify a separate CA cert with the Sun LDAP API.

 - todd

Index: ldap.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/ldap.c,v
retrieving revision 1.107
diff -u -p -u -r1.107 ldap.c
--- ldap.c	25 May 2009 12:02:41 -0000	1.107
+++ ldap.c	28 May 2009 13:45:51 -0000
@@ -381,15 +381,26 @@ sudo_ldap_init(ldp, host, port)
 
 #ifdef HAVE_LDAPSSL_INIT
     if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
-	DPRINTF(("ldapssl_clientauth_init(%s, %s)",
-	    ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
-	    ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
-	rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
-	    ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
-	if (rc != LDAP_SUCCESS) {
-	    warningx("unable to initialize SSL cert and key db: %s",
-		ldapssl_err2string(rc));
-	    goto done;
+	if (ldap_conf.tls_keyfile) {
+	    DPRINTF(("ldapssl_clientauth_init(%s, %s)",
+		ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
+		ldap_conf.tls_keyfile), 2);
+	    rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
+		1, ldap_conf.tls_keyfile, NULL);
+	    if (rc != LDAP_SUCCESS) {
+		warningx("unable to initialize SSL cert and key db: %s",
+		    ldapssl_err2string(rc));
+		goto done;
+	    }
+	} else {
+	    DPRINTF(("ldapssl_client_init(%s)",
+		ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL"), 2);
+	    rc = ldapssl_client_init(ldap_conf.tls_certfile, NULL);
+	    if (rc != LDAP_SUCCESS) {
+		warningx("unable to initialize SSL client: %s",
+		    ldapssl_err2string(rc));
+		goto done;
+	    }
 	}
 
 	DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2);

More information about the sudo-users mailing list