[sudo-users] SUDO SSL LDAP error

Mon May 17 10:40:01 EDT 2010

Does ldapsearch (or other LDAP query programs) work with SSL on?

When I have this problem, I usually find it's an LDAP config error,
not a sudo config error.

==ml

On Mon, May 17, 2010 at 10:35:49AM -0400, Eric Freeman wrote:
> I am running RHEN 5.5 I have LDAP authentication working. I am able to ssh
> into the server with my LDAP credentials. Our LDAP server is set up
> correctly because we have other systems using SUDO and LDAP working.
> 
> 
> When I turn off ssl I am able use sudo to authenticate to LDAP and have it
> work.
> 
> Please let me know if you need more information.
> 
> 
> However, when I try to run sudo commands using SSL I get the error.
> 
> LDAP Config Summary
> ===================
> uri              ldap://xxxxx
> ldap_version     3
> sudoers_base     ou=xxxxxx
> binddn           cn=xxxxxx
> bindpw           xxxxxx
> timelimit        10
> ssl              start_tls
> ===================
> sudo: ldap_initialize(ld, ldap://xxxxxxx)
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: timelimit -> 10
> sudo: ldap_start_tls_s(): Connect error
> 
> more /etc/openldap/ldap.conf
> BASE o=nam
> TLS_REQCERT never
> TLS_CACERTDIR /etc/openldap/cacerts
> 
> URI ldap://xxxx
> 
> more /etc/nsswitch.conf
> sudoers:    ldap files
> 
> more /etc/ldap.conf
> 
> 
> 
> This e-mail is intended only for the named person or entity to which 
> it is addressed and contains valuable business information that is 
> privileged, confidential and/or otherwise protected from disclosure.  
> Dissemination, distribution or copying of this e-mail or the 
> information herein by anyone other than the intended recipient, or 
> an employee or agent responsible for delivering the message to the 
> intended recipient, is strictly prohibited.  All contents are the 
> copyright property of TBWA Worldwide, its agencies or a client of 
> such agencies. If you are not the intended recipient, you are 
> nevertheless bound to respect the worldwide legal rights of TBWA 
> Worldwide, its agencies and its clients. We require that unintended 
> recipients delete the e-mail and destroy all electronic copies in 
> their system, retaining no copies in any media.If you have received 
> this e-mail in error, please immediately notify us via e-mail to 
> disclaimer at tbwaworld.com.  We appreciate your cooperation.
> 
> We make no warranties as to the accuracy or completeness of this 
> e-mail and accept no liability for its content or use.  Any opinions
> expressed in this e-mail are those of the author and do not 
> necessarily reflect the opinions of TBWA Worldwide or any of its 
> agencies or affiliates. 
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

-- 
Michael W. Lucas 	mwlucas at BlackHelicopters.org
http://www.MichaelWLucas.com/
New book:  Network Flow Analysis
pre-order now!  http://www.networkflowanalysis.com/