[sudo-users] AIX 6.1 sudo with AIX LDAP Client with SSL

Todd C. Miller Todd.Miller at courtesan.com
Fri Oct 21 15:02:02 EDT 2011

There are two ways to do encrypted LDAP: using LDAP over SSL on a
separate port (usually 636) or TLS negotiated over the normal LDAP
port (389) after the connection has been established.

Your ldap.conf file appears to specify both, which may be causing
your problems.

If you want TLS, you should use:
    uri ldap://host.example.com
    ssl start_tls

If you want SSL on port 636, all you should need is:
    uri ldaps://host.example.com

If your server is not listed in the tls_cacertfile, you also need:
    tls_checkpeer no

I would suggest trying "tls_checkpeer no" if you still have issues
after correcting the ssl options.

 - todd

On Fri, 21 Oct 2011 11:24:19 PDT, Wong Ren wrote:

> Below is my /etc/ldap.conf file:
> base dc=comverse-in,dc=com
> uri ldaps://host.example.com
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> pam_password md5
> sudoers_base ou=SUDOers,dc=example,dc=com
> sudoers_debug 255
> ldap_version 3
> ssl start_tls
> ssl yes
> tls_checker no
> tls_cacertfile /etc/security/ldap/cacerts/cacert.pem
> tls_cacertdir /etc/security/ldap/cacerts

More information about the sudo-users mailing list