[sudo-users] AIX 6.1 sudo with AIX LDAP Client with SSL
Todd C. Miller
Todd.Miller at courtesan.com
Fri Oct 21 15:02:02 EDT 2011
There are two ways to do encrypted LDAP: using LDAP over SSL on a
separate port (usually 636) or TLS negotiated over the normal LDAP
port (389) after the connection has been established.
Your ldap.conf file appears to specify both, which may be causing
your problems.
If you want TLS, you should use:
uri ldap://host.example.com
ssl start_tls
If you want SSL on port 636, all you should need is:
uri ldaps://host.example.com
If your server is not listed in the tls_cacertfile, you also need:
tls_checkpeer no
I would suggest trying "tls_checkpeer no" if you still have issues
after correcting the ssl options.
- todd
On Fri, 21 Oct 2011 11:24:19 PDT, Wong Ren wrote:
> Below is my /etc/ldap.conf file:
>
> base dc=comverse-in,dc=com
> uri ldaps://host.example.com
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> pam_password md5
> sudoers_base ou=SUDOers,dc=example,dc=com
> sudoers_debug 255
> ldap_version 3
> ssl start_tls
> ssl yes
> tls_checker no
> tls_cacertfile /etc/security/ldap/cacerts/cacert.pem
> tls_cacertdir /etc/security/ldap/cacerts
More information about the sudo-users
mailing list