[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help [SOLVED]

M. Fija fija00 at gmail.com
Fri May 29 03:57:14 EDT 2009 

There is something buggy with solaris 10
ldapssl_clientauth_init()/ldapssl_client_init() functions.
I've trussed sudo and found this:

26236:  stat("/var/ldap/cert8.db/cert8.db", 0xFFBFF0E8) Err#20 ENOTDIR
26236:  open("/var/ldap/cert8.db/cert8.db", O_RDONLY)   Err#20 ENOTDIR
26236:  stat("/var/ldap/cert8.db/cert7.db", 0xFFBFF0E8) Err#20 ENOTDIR
26236:  open("/var/ldap/cert8.db/cert7.db", O_RDONLY)   Err#20 ENOTDIR
26236:
open("/usr/lib/locale/en_US.ISO8859-15/LC_MESSAGES/SUNW_OST_OSLIB.mo",
O_RDONLY) Err#2 ENOENT

Note the appended cert{8,7}.db name to the certificate db file name.
I've then changed le parameter tls_cert file to /var/ldap:
...
#tls_cert       /var/ldap/cert8.db
tls_cert        /var/ldap/
...


... and that made sudo happy:

$ sudo -l
LDAP Config Summary
===================
uri              ldaps://myldapserver
ldap_version     3
sudoers_base     ou=sudoers,dc=example,dc=fr
binddn           cn=clxb1ad,ou=systems,dc=example,dc=fr
bindpw           edfgt54r
ssl              on
tls_checkpeer    (yes)
tls_certfile     /var/ldap/
===================
sudo: ldapssl_clientauth_init(/var/ldap/, NULL)
sudo: ldapssl_init(myldapserver:636, 389, 1)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_simple_bind_s() ok
sudo: found:cn=defaults,ou=sudoers,dc=example,dc=fr


Fija


2009/5/28 M. Fija <fija00 at gmail.com>

> Thank you for the patch, but unfortunately the result is the same:
>
> $ sudo -l
> LDAP Config Summary
> ===================
> uri              ldaps://myldapserver
> ldap_version     3
> sudoers_base     ou=sudoers,dc=example,dc=fr
> binddn           cn=host1,ou=systems,dc=example,dc=fr
> bindpw           host1pwd
> ssl              on
> tls_checkpeer    (yes)
> tls_certfile     /var/ldap/cert8.db
> ===================
> sudo: ldapssl_client_init(/var/ldap/cert8.db)
> sudo: unable to initialize SSL client: security library: bad database.
> sudo: unable to initialize LDAP: Unknown error
> Password:
>
> Fija
>
>
> 2009/5/28 Todd C. Miller <Todd.Miller at courtesan.com>
>
> In message <b5ff222b0905280542h646247c2wdc517f2806700ce2 at mail.gmail.com>
>>         so spake "M. Fija" (fija00):
>>
>> > It looks like the message "sudo: unable to initialize SSL cert and key
>> db:
>> > security library: bad" indicates that "tls_cert" and "tls_key" are
>> mandatory
>> > to use SSL with sudo.
>>
>> They should not be.  The LDAP API is supposed to deal with them not
>> being specified.  Please try the diff below to see if it helps.
>>
>> > It seems that "tls_cacertfile" parameter is ignored.
>>
>> There is no way to specify a separate CA cert with the Sun LDAP API.
>>
>>  - todd
>>
>> Index: ldap.c
>> ===================================================================
>> RCS file: /home/cvs/courtesan/sudo/ldap.c,v
>> retrieving revision 1.107
>> diff -u -p -u -r1.107 ldap.c
>> --- ldap.c      25 May 2009 12:02:41 -0000      1.107
>> +++ ldap.c      28 May 2009 13:45:51 -0000
>> @@ -381,15 +381,26 @@ sudo_ldap_init(ldp, host, port)
>>
>>  #ifdef HAVE_LDAPSSL_INIT
>>     if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
>> -       DPRINTF(("ldapssl_clientauth_init(%s, %s)",
>> -           ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
>> -           ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
>> -       rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
>> -           ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
>> -       if (rc != LDAP_SUCCESS) {
>> -           warningx("unable to initialize SSL cert and key db: %s",
>> -               ldapssl_err2string(rc));
>> -           goto done;
>> +       if (ldap_conf.tls_keyfile) {
>> +           DPRINTF(("ldapssl_clientauth_init(%s, %s)",
>> +               ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
>> +               ldap_conf.tls_keyfile), 2);
>> +           rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
>> +               1, ldap_conf.tls_keyfile, NULL);
>> +           if (rc != LDAP_SUCCESS) {
>> +               warningx("unable to initialize SSL cert and key db: %s",
>> +                   ldapssl_err2string(rc));
>> +               goto done;
>> +           }
>> +       } else {
>> +           DPRINTF(("ldapssl_client_init(%s)",
>> +               ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL"),
>> 2);
>> +           rc = ldapssl_client_init(ldap_conf.tls_certfile, NULL);
>> +           if (rc != LDAP_SUCCESS) {
>> +               warningx("unable to initialize SSL client: %s",
>> +                   ldapssl_err2string(rc));
>> +               goto done;
>> +           }
>>        }
>>
>>        DPRINTF(("ldapssl_init(%s, %d, 1)", host, port), 2);
>>
>
>

More information about the sudo-users mailing list