[sudo-users] SUDO SSL LDAP error
Michael W. Lucas
mwlucas at blackhelicopters.org
Mon May 17 10:40:01 EDT 2010
Does ldapsearch (or other LDAP query programs) work with SSL on?
When I have this problem, I usually find it's an LDAP config error,
not a sudo config error.
On Mon, May 17, 2010 at 10:35:49AM -0400, Eric Freeman wrote:
> I am running RHEN 5.5 I have LDAP authentication working. I am able to ssh
> into the server with my LDAP credentials. Our LDAP server is set up
> correctly because we have other systems using SUDO and LDAP working.
> When I turn off ssl I am able use sudo to authenticate to LDAP and have it
> Please let me know if you need more information.
> However, when I try to run sudo commands using SSL I get the error.
> LDAP Config Summary
> uri ldap://xxxxx
> ldap_version 3
> sudoers_base ou=xxxxxx
> binddn cn=xxxxxx
> bindpw xxxxxx
> timelimit 10
> ssl start_tls
> sudo: ldap_initialize(ld, ldap://xxxxxxx)
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: timelimit -> 10
> sudo: ldap_start_tls_s(): Connect error
> more /etc/openldap/ldap.conf
> BASE o=nam
> TLS_REQCERT never
> TLS_CACERTDIR /etc/openldap/cacerts
> URI ldap://xxxx
> more /etc/nsswitch.conf
> sudoers: ldap files
> more /etc/ldap.conf
> This e-mail is intended only for the named person or entity to which
> it is addressed and contains valuable business information that is
> privileged, confidential and/or otherwise protected from disclosure.
> Dissemination, distribution or copying of this e-mail or the
> information herein by anyone other than the intended recipient, or
> an employee or agent responsible for delivering the message to the
> intended recipient, is strictly prohibited. All contents are the
> copyright property of TBWA Worldwide, its agencies or a client of
> such agencies. If you are not the intended recipient, you are
> nevertheless bound to respect the worldwide legal rights of TBWA
> Worldwide, its agencies and its clients. We require that unintended
> recipients delete the e-mail and destroy all electronic copies in
> their system, retaining no copies in any media.If you have received
> this e-mail in error, please immediately notify us via e-mail to
> disclaimer at tbwaworld.com. We appreciate your cooperation.
> We make no warranties as to the accuracy or completeness of this
> e-mail and accept no liability for its content or use. Any opinions
> expressed in this e-mail are those of the author and do not
> necessarily reflect the opinions of TBWA Worldwide or any of its
> agencies or affiliates.
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
Michael W. Lucas mwlucas at BlackHelicopters.org
New book: Network Flow Analysis
pre-order now! http://www.networkflowanalysis.com/
More information about the sudo-users