[sudo-users] Sudo LDAP+TLS in 1.7.2

Tony G. tonysk8 at gmail.com
Tue Sep 21 10:58:40 EDT 2010

Thanks for your reply Todd,

That's what I thought too, since the .ldaprc is on this  version ignored,
but when I add both locations I got the same results:

[test at test ~]$ sudo su -
LDAP Config Summary
uri              ldap://ldaptls.example.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=example,dc=com
binddn           cn=binduser,dc=example,dc=com
bindpw           mypassword
bind_timelimit   5000
timelimit        15
ssl              start_tls
tls_checkpeer    (yes)
tls_cacertdir    /etc/openldap/cacerts
tls_certfile     /etc/openldap/cacerts/cert.pem
tls_keyfile      /etc/openldap/cacerts/key.pem
sudo: ldap_initialize(ld,ldap://ldaptls.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_set_option: tls_cert -> /etc/openldap/cacerts/cert.pem
sudo: ldap_set_option: tls_key -> /etc/openldap/cacerts/key.pem
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_start_tls_s(): Connect error
[sudo] password for test:

Not sure if this is an issue with my config or a real bug.


On Tue, Sep 21, 2010 at 8:24 AM, Todd C. Miller
<Todd.Miller at courtesan.com>wrote:

> Sounds like you need to add:
> tls_cert /etc/openldap/cacerts/cert.pem
> tls_key /etc/openldap/cacerts/key.pem
> to /etc/ldap.conf.
>  - todd


More information about the sudo-users mailing list