[sudo-users] Sudo LDAP+TLS in 1.7.2

Tony G. tonysk8 at gmail.com
Mon Sep 20 18:42:27 EDT 2010 

Hi Sudo users,

I've been using sudo with ldap+tls without issues until today when some
servers got the update of the package sudo-1.7.2p1-8.el5_5; those were using
sudo-1.6.9p17-5.el5.

On /var/log/messages I got:
sudo: pam_ldap: ldap_starttls_s: Connect error

I went into the changelog http://www.sudo.ws/sudo/stable.html#1.7.2p1 and
found that the section "Major changes between version 1.6.9p19 and 1.7.0:"
showed something that I thought might be the reason of my issue:

Sudo now ignores user .ldaprc files as well as system LDAP defaults. All
LDAP configuration is now in /etc/ldap.conf (or whichever file was specified
by configure's --with-ldap-conf-file option). If you are using TLS, you may
now need to specify:

	    tls_checkpeer no

in sudo's ldap.conf unless ldap.conf references a valid certificate
authority file(s).

My LDAP config uses the default value of tls_checkpeer which is *yes* and
that setting fails with the version 1.7.2 if I set the tls_checkpeer no it
works.

Any help is appreciated.

*tls_checkpeer yes*
[test at test ~]$ sudo su -
LDAP Config Summary
===================
uri              ldap://ldaptls.example.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=example,dc=com
binddn           cn=bind,dc=example,dc=com
bindpw           mypassword
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_cacertdir    /etc/openldap/cacerts
===================
sudo: ldap_initialize(ld, ldap://ldaptls.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s(): Connect error
[sudo] password for test:

*tls_checkpeer no*
[test at test ~]$ sudo su -
LDAP Config Summary
===================
uri              ldap://ldaptls.example.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=example,dc=com
binddn           cn=binduser,dc=example,dc=com
bindpw           mypassword
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_checkpeer    (no)
tls_cacertdir    /etc/openldap/cacerts
===================
sudo: ldap_initialize(ld, ldap://ldaptls.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=example,dc=com
sudo: ldap sudoOption: '!requiretty'
sudo: ldap sudoOption: '!listpw'
sudo: ldap search '(|(sudoUser=test)(sudoUser=%test)(sudoUser=ALL))'
sudo: found:cn=full_root,ou=SUDOers,dc=example,dc=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoRunAsUser 'ALL' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: ldap sudoOption: '!authenticate'
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02


*/etc/ldap.conf*
base dc=example,dc=com
bind_policy soft
bind_timelimit 5
binddn cn=bind,dc=example,dc=com
bindpw mypassword
idle_timelimit 600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,
pam_password md5
ssl start_tls
timelimit 15
uri ldap://ldaptls.example.com
tls_cacertdir /etc/openldap/cacerts
sudoers_base ou=SUDOers,dc=example,dc=com

*/root/.ldaprc*
tls_cert /etc/openldap/cacerts/cert.pem
tls_key /etc/openldap/cacerts/key.pem

*/etc/openldap/ldap.conf*
uri ldap://127.0.0.1/ ldap://ldaptls.example.com
base dc=example,dc=com
tls_cacert /etc/openldap/cacerts/ca.pem
tls_reqcert demand
timelimit 5

Thanks
-- 
Tony
http://blog.tonyskapunk.net

More information about the sudo-users mailing list