[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help
Macleod, Paul
paul.macleod at eds.com
Fri May 29 04:21:31 EDT 2009
Hi,
I would just like to add - I have similar, if not the same issue.
To add information to the mix, I've had a build of Sudo (sudo-1.6.9p10 )
that had some LDAP support iterated through on 19th Dec '07, which was
built.. worked perfectly on Solaris 9 environment.
That environment later upgraded to Solaris 10u4, and the LDAP SSL fails
to work now. With newer Sudo 1.7, but also re-tested with the same
1.6.9p10 source; rebuilt etc. So could confirm it wasn't a 1.7 thing;
as the 1.6.9p10 - worked on Solaris 9.
I've also tried, with making cert7.db and cert8.db; with utter futility;
always the same errors.
Cheers,
-Paul.
-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of M. Fija
Sent: 27 May 2009 18:15
To: sudo-users at sudo.ws
Subject: [sudo-users] sudo 1.7.1 with pam,ldap and SSL on solaris 10:
need help
Hello,
I've compiled sudo-1.7.1 on Solaris 10 with PAM and (solaris native)
LDAP
support.
And sudo was built without errors and works as expected when using ldap
but
fails with ldaps:
> sudo -l
LDAP Config Summary
===================
uri ldap://myldapserver
ldap_version 3
sudoers_base ou=sudoers,dc=example,dc=fr
binddn cn=host1,ou=systems,dc=example,dc=fr
bindpw host1pwd
ssl on
tls_checkpeer (yes)
tls_certfile /var/ldap/cert8.db
===================
sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL)
sudo: unable to initialize SSL cert and key db: security library: bad
database.
sudo: unable to initialize LDAP: Unknown error
Password:
Sudo was build with the following command:
CC="gcc -static-libgcc" ./configure \
--prefix=/usr \
--exec-prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--datarootdir=/usr/share \
--with-logging=syslog --with-logfac=authpriv \
--with-editor=/usr/bin/vi --with-env-editor \
--with-ignore-dot --with-tty-tickets \
--with-pam --with-nsswitch \
--with-ldap \
--with-ldap-conf-file=/etc/ldap.conf \
--with-ldap-secret-file=/etc/ldap.secret
Here is my /etc/ldap.conf:
uri ldap://myldapserver
base dc=example,dc=fr
sudoers_base ou=sudoers,dc=example,dc=fr
binddn cn=host1,ou=systems,dc=example,dc=fr
bindpw host1pwd
tls_checkpeer yes
ssl on
#tls_cacertfile /var/ldap/cert8.db
tls_cert /var/ldap/cert8.db
#tls_key /var/ldap/key3.db
sudoers_debug 2
The file /var/ldap/cert8.db was created for the solaris ldap client with
/usr/sfw/bin/certutil command.
On the LDAP server side (openldap 2.3/Redhat ES3), TLS parameters are:
TLSCACertificateFile /etc/ssl/certs/CAcerts.pem
TLSCertificateFile /etc/ssl/private/myldapserver.crt
TLSCertificateKeyFile /etc/ssl/private/myldapserver.key
TLSVerifyClient never
TLSCipherSuite SSLv3
It seems there are no problem with PAM as i can see connexion and search
operations honored successfully by the ldap server.
Thanks for any help.
Fija
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list