[sudo-users] Help needed with sudo ssl and HPUX

Eric Freeman eric.freeman at tbwachiat.com
Thu Jun 3 13:29:17 EDT 2010


Sorry. let me try it again

Below is my /etc/ldap.conf file
I then did sudo -v as root and it appears to work. Immediately after that I
issued the
command su - eric_freeman
and tried the same sudo -v and it failed. It appears when I am root sudo
over SSL works. Yes, our LDAP server supports TLS.

dbtest:/ # more /etc/ldap.conf
uri ldap://10.20.2.165
ssl start_tls
TLS_CHECKPEER off
sudoers_base ou=xxx
BINDDN cn=xxx
BINDPW xxx
timelimit 30
bind_timelimit 30
TLS_REQCERT never
sudoers_debug 2


dbtest:/ # sudo -v
LDAP Config Summary
===================
uri              ldap://10.20.2.165
ldap_version     3
sudoers_base     ou=xxx
binddn           cn=xxx
bindpw           xxx
bind_timelimit   30000
timelimit        30
ssl              start_tls
tls_checkpeer    (no)
===================
sudo: ldap_initialize(ld, ldap://10.20.2.165)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=xxx
sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.ldap.log'
sudo: ldap sudoOption: 'log_year'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(53)=0x82


dbtest:/ # su - eric_freeman
$ sudo -v
LDAP Config Summary
===================
uri              ldap://10.20.2.165
ldap_version     3
sudoers_base     ou=xxx
binddn           cn=xxx
bindpw           xxx
bind_timelimit   30000
timelimit        30
ssl              start_tls
tls_checkpeer    (no)
===================
sudo: ldap_initialize(ld, ldap://10.20.2.165)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)

sudo: ldap_start_tls_s(): Connect error
$



On Fri, May 28, 2010 at 5:46 PM, Todd C. Miller
<Todd.Miller at courtesan.com>wrote:

> Hmm, in your working example, ssl=off whereas in the non-working,
> ssl=start_tls.  Does your ldap server support ldaps (SSL over port
> 636)?  If so, does that work?
>
>  - todd
>
> In message <AANLkTilwhv3thy_ATBgSVdyK0RFg9mX0cw0Ch5YLSpPX at mail.gmail.com>
>        so spake Eric Freeman (eric.freeman):
>
> > I am running sudo 1.7.2 on HP-UX 11.11. Sudo works when not using SSL but
> > when using SSL it fails. The odd thing is it works on another HP-UX
> machine
> > and the same version of sudo. I have also copied the /etc/ldap.conf file
> > from the working machine to the non working machine.
> >
> > When I am root and type sudo -v it appears to talk SSL but a regular user
> > fails. The regular user also fails SSL when issuing a sudo command with
> an
> > actual command.
> >
> >
> > Thank you.
> > Below is the error and one that worked with root:
> >
> > $ sudo lastb
> > LDAP Config Summary
> > ===================
> > uri              ldap://10.20.2.165
> > ldap_version     3
> > sudoers_base     ou=xxxxxxx
> > binddn           cn=xxxxxx
> > bindpw           xxxxx
> > bind_timelimit   30000
> > timelimit        30
> > ssl              start_tls
> > tls_checkpeer    (no)
> > ===================
> > sudo: ldap_initialize(ld, ldap://10.20.2.165)
> > sudo: ldap_set_option: debug -> 0
> > sudo: ldap_set_option: ldap_version -> 3
> > sudo: ldap_set_option: tls_checkpeer -> 0
> > sudo: ldap_set_option: timelimit -> 30
> > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
> >
> > sudo: ldap_start_tls_s(): Connect error
> >
> >
> >
> > Working with root:
> >
> > dbtest:/ # sudo -v
> > LDAP Config Summary
> > ===================
> > uri              ldap://10.20.2.165
> > ldap_version     3
> > sudoers_base     ou=xxxxx
> > binddn           cn=xxxxx
> > bindpw           xxxx
> > bind_timelimit   30000
> > timelimit        30
> > ssl              off
> > tls_checkpeer    (no)
> > ===================
> > sudo: ldap_initialize(ld, ldap://10.20.2.165)
> > sudo: ldap_set_option: debug -> 0
> > sudo: ldap_set_option: ldap_version -> 3
> > sudo: ldap_set_option: tls_checkpeer -> 0
> > sudo: ldap_set_option: timelimit -> 30
> > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
> >
> > sudo: ldap_sasl_bind_s() ok
> > sudo: found:cn=defaults,ou=SUDOersDBTEST,ou=SUDOers,ou=Services,o=NAM
> > sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.ldap.log'
> > sudo: ldap sudoOption: 'log_year'
> > sudo: user_matches=0
> > sudo: host_matches=0
> > sudo: sudo_ldap_lookup(53)=0x82
> >
> >
> > $ more /etc/ldap.conf
> > uri ldap://10.20.2.165
> > ssl start_tls
> > TLS_CHECKPEER off
> > sudoers_base ou=xxxxx
> > BINDDN cn=xxxx
> > BINDPW xxxx
> > timelimit 30
> > bind_timelimit 30
> > TLS_REQCERT never
> > sudoers_debug 2
> >
> >
> >
> > This e-mail is intended only for the named person or entity to which
> > it is addressed and contains valuable business information that is
> > privileged, confidential and/or otherwise protected from disclosure.
> > Dissemination, distribution or copying of this e-mail or the
> > information herein by anyone other than the intended recipient, or
> > an employee or agent responsible for delivering the message to the
> > intended recipient, is strictly prohibited.  All contents are the
> > copyright property of TBWA Worldwide, its agencies or a client of
> > such agencies. If you are not the intended recipient, you are
> > nevertheless bound to respect the worldwide legal rights of TBWA
> > Worldwide, its agencies and its clients. We require that unintended
> > recipients delete the e-mail and destroy all electronic copies in
> > their system, retaining no copies in any media.If you have received
> > this e-mail in error, please immediately notify us via e-mail to
> > disclaimer at tbwaworld.com.  We appreciate your cooperation.
> >
> > We make no warranties as to the accuracy or completeness of this
> > e-mail and accept no liability for its content or use.  Any opinions
> > expressed in this e-mail are those of the author and do not
> > necessarily reflect the opinions of TBWA Worldwide or any of its
> > agencies or affiliates.
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
>
>



This e-mail is intended only for the named person or entity to which 
it is addressed and contains valuable business information that is 
privileged, confidential and/or otherwise protected from disclosure.  
Dissemination, distribution or copying of this e-mail or the 
information herein by anyone other than the intended recipient, or 
an employee or agent responsible for delivering the message to the 
intended recipient, is strictly prohibited.  All contents are the 
copyright property of TBWA Worldwide, its agencies or a client of 
such agencies. If you are not the intended recipient, you are 
nevertheless bound to respect the worldwide legal rights of TBWA 
Worldwide, its agencies and its clients. We require that unintended 
recipients delete the e-mail and destroy all electronic copies in 
their system, retaining no copies in any media.If you have received 
this e-mail in error, please immediately notify us via e-mail to 
disclaimer at tbwaworld.com.  We appreciate your cooperation.

We make no warranties as to the accuracy or completeness of this 
e-mail and accept no liability for its content or use.  Any opinions
expressed in this e-mail are those of the author and do not 
necessarily reflect the opinions of TBWA Worldwide or any of its 
agencies or affiliates. 



More information about the sudo-users mailing list