[sudo-users] sudo 1.7.1 with pam, ldap and SSL on solaris 10: need help

Macleod, Paul paul.macleod at eds.com
Fri May 29 04:21:31 EDT 2009


I would just like to add - I have similar, if not the same issue.

To add information to the mix, I've had a build of Sudo (sudo-1.6.9p10 )
that had some LDAP support iterated through on 19th Dec '07, which was
built.. worked perfectly on Solaris 9 environment.

That environment later upgraded to Solaris 10u4,  and the LDAP SSL fails
to work now.   With newer Sudo 1.7, but also re-tested with the same
1.6.9p10 source; rebuilt etc.  So could confirm it wasn't a 1.7 thing;
as the 1.6.9p10 - worked on Solaris 9.

I've also tried, with making cert7.db and cert8.db; with utter futility;
always the same errors.



-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of M. Fija
Sent: 27 May 2009 18:15
To: sudo-users at sudo.ws
Subject: [sudo-users] sudo 1.7.1 with pam,ldap and SSL on solaris 10:
need help


I've compiled sudo-1.7.1 on Solaris 10 with PAM and (solaris native)
And sudo was built without errors and works as expected when using ldap
fails with ldaps:

> sudo -l
LDAP Config Summary
uri              ldap://myldapserver
ldap_version     3
sudoers_base     ou=sudoers,dc=example,dc=fr
binddn           cn=host1,ou=systems,dc=example,dc=fr
bindpw           host1pwd
ssl              on
tls_checkpeer    (yes)
tls_certfile     /var/ldap/cert8.db
sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL)
sudo: unable to initialize SSL cert and key db: security library: bad
sudo: unable to initialize LDAP: Unknown error

Sudo was build with the following command:
CC="gcc -static-libgcc" ./configure \
        --prefix=/usr \
        --exec-prefix=/usr \
        --sysconfdir=/etc \
        --localstatedir=/var \
        --datarootdir=/usr/share \
        --with-logging=syslog --with-logfac=authpriv \
        --with-editor=/usr/bin/vi --with-env-editor \
        --with-ignore-dot --with-tty-tickets \
        --with-pam --with-nsswitch \
        --with-ldap \
        --with-ldap-conf-file=/etc/ldap.conf \

Here is my /etc/ldap.conf:

uri             ldap://myldapserver
base            dc=example,dc=fr
sudoers_base    ou=sudoers,dc=example,dc=fr
binddn          cn=host1,ou=systems,dc=example,dc=fr
bindpw          host1pwd
tls_checkpeer   yes
ssl             on
#tls_cacertfile  /var/ldap/cert8.db
tls_cert        /var/ldap/cert8.db
#tls_key                /var/ldap/key3.db
sudoers_debug 2

The file /var/ldap/cert8.db was created for the solaris ldap client with
/usr/sfw/bin/certutil command.
On the LDAP server side (openldap 2.3/Redhat ES3), TLS parameters are:

TLSCACertificateFile    /etc/ssl/certs/CAcerts.pem
TLSCertificateFile      /etc/ssl/private/myldapserver.crt
TLSCertificateKeyFile   /etc/ssl/private/myldapserver.key
TLSVerifyClient         never
TLSCipherSuite          SSLv3

It seems there are no problem with PAM as i can see connexion and search
operations honored successfully by the ldap server.

Thanks for any help.

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list