[sudo-users] AIX 6.1 sudo with AIX LDAP Client with SSL

Wong Ren Ren.Wong at comverse.com
Fri Oct 21 15:22:49 EDT 2011 

Hi Todd,

Thanks you for your speedy response.

If you want TLS, you should use:
    uri ldap://host.example.com
    ssl start_tls
[RWong] I got response from the OpenLDAP server (host.exmaple.comn) but there was no encryption and didn’t see the TLS handshakes (using tethereal)

If you want SSL on port 636, all you should need is:
    uri ldaps://host.example.com
[RWong] Here I got the same error as before." sudo: ldap_simple_bind_s(): Can't contact LDAP server"

If your server is not listed in the tls_cacertfile, you also need:
    tls_checkpeer no
[RWong] Same error: " sudo: ldap_simple_bind_s(): Can't contact LDAP server"


Ren

-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
Sent: Friday, October 21, 2011 3:02 PM
To: Wong Ren
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] AIX 6.1 sudo with AIX LDAP Client with SSL

There are two ways to do encrypted LDAP: using LDAP over SSL on a
separate port (usually 636) or TLS negotiated over the normal LDAP
port (389) after the connection has been established.

Your ldap.conf file appears to specify both, which may be causing
your problems.

If you want TLS, you should use:
    uri ldap://host.example.com
    ssl start_tls

If you want SSL on port 636, all you should need is:
    uri ldaps://host.example.com

If your server is not listed in the tls_cacertfile, you also need:
    tls_checkpeer no

I would suggest trying "tls_checkpeer no" if you still have issues
after correcting the ssl options.

 - todd

On Fri, 21 Oct 2011 11:24:19 PDT, Wong Ren wrote:

> Below is my /etc/ldap.conf file:
>
> base dc=comverse-in,dc=com
> uri ldaps://host.example.com
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> pam_password md5
> sudoers_base ou=SUDOers,dc=example,dc=com
> sudoers_debug 255
> ldap_version 3
> ssl start_tls
> ssl yes
> tls_checker no
> tls_cacertfile /etc/security/ldap/cacerts/cacert.pem
> tls_cacertdir /etc/security/ldap/cacerts

“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: security at comverse.com. Thank You.”

More information about the sudo-users mailing list