[sudo-users] AIX 6.1 sudo with AIX LDAP Client with SSL

[Wong Ren]

Hi,

I have an issue with running sudo with AIX LDAP client over SSL on the AIX 6.1  Your help is appreciated.

Before turning on the SSL, the sudo is running fine with the OpenLDAP server on a Linux host.

When I turn on the SSL, the SSL is working OK with ldapsearch but not for sudo such as sudo -l.
Below is  an example:
sudo -l
LDAP Config Summary
===================
uri              ldaps://host.exmaple.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=example,dc=com
binddn           (anonymous)
bindpw           (anonymous)
timelimit        120
ssl              yes
===================
sudo: ldap_init(host.example.com:636, 389)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_simple_bind_s(): Can't contact LDAP server
User root may run the following commands on this host:
    (ALL) ALL
    (ALL) ALL

I assume that with or without SSL, the sudo uses the AIX LDAP client.  Do the tls_* parameters in the /etc/ldap.conf used at all?

Below is my /etc/ldap.conf file:

base dc=comverse-in,dc=com
uri ldaps://host.example.com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_password md5
sudoers_base ou=SUDOers,dc=example,dc=com
sudoers_debug 255
ldap_version 3
ssl start_tls
ssl yes
tls_checker no
tls_cacertfile /etc/security/ldap/cacerts/cacert.pem
tls_cacertdir /etc/security/ldap/cacerts

________________________________
"This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: security at comverse.com. Thank You."