[sudo-users] Help needed with sudo ssl and HPUX

Todd C. Miller Todd.Miller at courtesan.com
Fri May 28 17:46:12 EDT 2010


Hmm, in your working example, ssl=off whereas in the non-working,
ssl=start_tls.  Does your ldap server support ldaps (SSL over port
636)?  If so, does that work?

 - todd

In message <AANLkTilwhv3thy_ATBgSVdyK0RFg9mX0cw0Ch5YLSpPX at mail.gmail.com>
	so spake Eric Freeman (eric.freeman):

> I am running sudo 1.7.2 on HP-UX 11.11. Sudo works when not using SSL but
> when using SSL it fails. The odd thing is it works on another HP-UX machine
> and the same version of sudo. I have also copied the /etc/ldap.conf file
> from the working machine to the non working machine.
> 
> When I am root and type sudo -v it appears to talk SSL but a regular user
> fails. The regular user also fails SSL when issuing a sudo command with an
> actual command.
> 
> 
> Thank you.
> Below is the error and one that worked with root:
> 
> $ sudo lastb
> LDAP Config Summary
> ===================
> uri              ldap://10.20.2.165
> ldap_version     3
> sudoers_base     ou=xxxxxxx
> binddn           cn=xxxxxx
> bindpw           xxxxx
> bind_timelimit   30000
> timelimit        30
> ssl              start_tls
> tls_checkpeer    (no)
> ===================
> sudo: ldap_initialize(ld, ldap://10.20.2.165)
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: tls_checkpeer -> 0
> sudo: ldap_set_option: timelimit -> 30
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
> 
> sudo: ldap_start_tls_s(): Connect error
> 
> 
> 
> Working with root:
> 
> dbtest:/ # sudo -v
> LDAP Config Summary
> ===================
> uri              ldap://10.20.2.165
> ldap_version     3
> sudoers_base     ou=xxxxx
> binddn           cn=xxxxx
> bindpw           xxxx
> bind_timelimit   30000
> timelimit        30
> ssl              off
> tls_checkpeer    (no)
> ===================
> sudo: ldap_initialize(ld, ldap://10.20.2.165)
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: tls_checkpeer -> 0
> sudo: ldap_set_option: timelimit -> 30
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
> 
> sudo: ldap_sasl_bind_s() ok
> sudo: found:cn=defaults,ou=SUDOersDBTEST,ou=SUDOers,ou=Services,o=NAM
> sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.ldap.log'
> sudo: ldap sudoOption: 'log_year'
> sudo: user_matches=0
> sudo: host_matches=0
> sudo: sudo_ldap_lookup(53)=0x82
> 
> 
> $ more /etc/ldap.conf
> uri ldap://10.20.2.165
> ssl start_tls
> TLS_CHECKPEER off
> sudoers_base ou=xxxxx
> BINDDN cn=xxxx
> BINDPW xxxx
> timelimit 30
> bind_timelimit 30
> TLS_REQCERT never
> sudoers_debug 2
> 
> 
> 
> This e-mail is intended only for the named person or entity to which 
> it is addressed and contains valuable business information that is 
> privileged, confidential and/or otherwise protected from disclosure.  
> Dissemination, distribution or copying of this e-mail or the 
> information herein by anyone other than the intended recipient, or 
> an employee or agent responsible for delivering the message to the 
> intended recipient, is strictly prohibited.  All contents are the 
> copyright property of TBWA Worldwide, its agencies or a client of 
> such agencies. If you are not the intended recipient, you are 
> nevertheless bound to respect the worldwide legal rights of TBWA 
> Worldwide, its agencies and its clients. We require that unintended 
> recipients delete the e-mail and destroy all electronic copies in 
> their system, retaining no copies in any media.If you have received 
> this e-mail in error, please immediately notify us via e-mail to 
> disclaimer at tbwaworld.com.  We appreciate your cooperation.
> 
> We make no warranties as to the accuracy or completeness of this 
> e-mail and accept no liability for its content or use.  Any opinions
> expressed in this e-mail are those of the author and do not 
> necessarily reflect the opinions of TBWA Worldwide or any of its 
> agencies or affiliates. 
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> 




More information about the sudo-users mailing list