[sudo-users] SUDO SSL LDAP error

Eric Freeman eric.freeman at tbwachiat.com
Mon May 17 14:37:04 EDT 2010 

Thank you. I found my issue.

I needed to add tls_checkpeer no in /etc/ldap.conf



On Mon, May 17, 2010 at 10:40 AM, Michael W. Lucas <
mwlucas at blackhelicopters.org> wrote:

> Does ldapsearch (or other LDAP query programs) work with SSL on?
>
> When I have this problem, I usually find it's an LDAP config error,
> not a sudo config error.
>
> ==ml
>
> On Mon, May 17, 2010 at 10:35:49AM -0400, Eric Freeman wrote:
> > I am running RHEN 5.5 I have LDAP authentication working. I am able to
> ssh
> > into the server with my LDAP credentials. Our LDAP server is set up
> > correctly because we have other systems using SUDO and LDAP working.
> >
> >
> > When I turn off ssl I am able use sudo to authenticate to LDAP and have
> it
> > work.
> >
> > Please let me know if you need more information.
> >
> >
> > However, when I try to run sudo commands using SSL I get the error.
> >
> > LDAP Config Summary
> > ===================
> > uri              ldap://xxxxx
> > ldap_version     3
> > sudoers_base     ou=xxxxxx
> > binddn           cn=xxxxxx
> > bindpw           xxxxxx
> > timelimit        10
> > ssl              start_tls
> > ===================
> > sudo: ldap_initialize(ld, ldap://xxxxxxx)
> > sudo: ldap_set_option: debug -> 0
> > sudo: ldap_set_option: ldap_version -> 3
> > sudo: ldap_set_option: timelimit -> 10
> > sudo: ldap_start_tls_s(): Connect error
> >
> > more /etc/openldap/ldap.conf
> > BASE o=nam
> > TLS_REQCERT never
> > TLS_CACERTDIR /etc/openldap/cacerts
> >
> > URI ldap://xxxx
> >
> > more /etc/nsswitch.conf
> > sudoers:    ldap files
> >
> > more /etc/ldap.conf
> >
> >
> >
> > This e-mail is intended only for the named person or entity to which
> > it is addressed and contains valuable business information that is
> > privileged, confidential and/or otherwise protected from disclosure.
> > Dissemination, distribution or copying of this e-mail or the
> > information herein by anyone other than the intended recipient, or
> > an employee or agent responsible for delivering the message to the
> > intended recipient, is strictly prohibited.  All contents are the
> > copyright property of TBWA Worldwide, its agencies or a client of
> > such agencies. If you are not the intended recipient, you are
> > nevertheless bound to respect the worldwide legal rights of TBWA
> > Worldwide, its agencies and its clients. We require that unintended
> > recipients delete the e-mail and destroy all electronic copies in
> > their system, retaining no copies in any media.If you have received
> > this e-mail in error, please immediately notify us via e-mail to
> > disclaimer at tbwaworld.com.  We appreciate your cooperation.
> >
> > We make no warranties as to the accuracy or completeness of this
> > e-mail and accept no liability for its content or use.  Any opinions
> > expressed in this e-mail are those of the author and do not
> > necessarily reflect the opinions of TBWA Worldwide or any of its
> > agencies or affiliates.
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
>
> --
> Michael W. Lucas        mwlucas at BlackHelicopters.org
> http://www.MichaelWLucas.com/
> New book:  Network Flow Analysis
> pre-order now!  http://www.networkflowanalysis.com/
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>



This e-mail is intended only for the named person or entity to which 
it is addressed and contains valuable business information that is 
privileged, confidential and/or otherwise protected from disclosure.  
Dissemination, distribution or copying of this e-mail or the 
information herein by anyone other than the intended recipient, or 
an employee or agent responsible for delivering the message to the 
intended recipient, is strictly prohibited.  All contents are the 
copyright property of TBWA Worldwide, its agencies or a client of 
such agencies. If you are not the intended recipient, you are 
nevertheless bound to respect the worldwide legal rights of TBWA 
Worldwide, its agencies and its clients. We require that unintended 
recipients delete the e-mail and destroy all electronic copies in 
their system, retaining no copies in any media.If you have received 
this e-mail in error, please immediately notify us via e-mail to 
disclaimer at tbwaworld.com.  We appreciate your cooperation.

We make no warranties as to the accuracy or completeness of this 
e-mail and accept no liability for its content or use.  Any opinions
expressed in this e-mail are those of the author and do not 
necessarily reflect the opinions of TBWA Worldwide or any of its 
agencies or affiliates.

More information about the sudo-users mailing list