[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help

M. Fija fija00 at gmail.com
Thu May 28 11:26:22 EDT 2009


Thank you for the patch, but unfortunately the result is the same:

$ sudo -l
LDAP Config Summary
===================
uri              ldaps://myldapserver
ldap_version     3
sudoers_base     ou=sudoers,dc=example,dc=fr
binddn           cn=host1,ou=systems,dc=example,dc=fr
bindpw           host1pwd
ssl              on
tls_checkpeer    (yes)
tls_certfile     /var/ldap/cert8.db
===================
sudo: ldapssl_client_init(/var/ldap/cert8.db)
sudo: unable to initialize SSL client: security library: bad database.
sudo: unable to initialize LDAP: Unknown error
Password:

Fija


2009/5/28 Todd C. Miller <Todd.Miller at courtesan.com>

> In message <b5ff222b0905280542h646247c2wdc517f2806700ce2 at mail.gmail.com>
>         so spake "M. Fija" (fija00):
>
> > It looks like the message "sudo: unable to initialize SSL cert and key
> db:
> > security library: bad" indicates that "tls_cert" and "tls_key" are
> mandatory
> > to use SSL with sudo.
>
> They should not be.  The LDAP API is supposed to deal with them not
> being specified.  Please try the diff below to see if it helps.
>
> > It seems that "tls_cacertfile" parameter is ignored.
>
> There is no way to specify a separate CA cert with the Sun LDAP API.
>
>  - todd
>
> Index: ldap.c
> ===================================================================
> RCS file: /home/cvs/courtesan/sudo/ldap.c,v
> retrieving revision 1.107
> diff -u -p -u -r1.107 ldap.c
> --- ldap.c      25 May 2009 12:02:41 -0000      1.107
> +++ ldap.c      28 May 2009 13:45:51 -0000
> @@ -381,15 +381,26 @@ sudo_ldap_init(ldp, host, port)
>
>  #ifdef HAVE_LDAPSSL_INIT
>     if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
> -       DPRINTF(("ldapssl_clientauth_init(%s, %s)",
> -           ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
> -           ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
> -       rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
> -           ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
> -       if (rc != LDAP_SUCCESS) {
> -           warningx("unable to initialize SSL cert and key db: %s",
> -               ldapssl_err2string(rc));
> -           goto done;
> +       if (ldap_conf.tls_keyfile) {
> +           DPRINTF(("ldapssl_clientauth_init(%s, %s)",
> +               ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
> +               ldap_conf.tls_keyfile), 2);
> +           rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
> +               1, ldap_conf.tls_keyfile, NULL);
> +           if (rc != LDAP_SUCCESS) {
> +               warningx("unable to initialize SSL cert and key db: %s",
> +                   ldapssl_err2string(rc));
> +               goto done;
> +           }
> +       } else {
> +           DPRINTF(("ldapssl_client_init(%s)",
> +               ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL"),
> 2);
> +           rc = ldapssl_client_init(ldap_conf.tls_certfile, NULL);
> +           if (rc != LDAP_SUCCESS) {
> +               warningx("unable to initialize SSL client: %s",
> +                   ldapssl_err2string(rc));
> +               goto done;
> +           }
>        }
>
>        DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2);
>



More information about the sudo-users mailing list