[sudo-users] LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()

Daniel Crisp Daniel.Crisp at Xchanging.com
Thu Jul 26 11:08:43 EDT 2012


Thanks for the advice Todd.

I've altered my ldap.conf according but now I seem to be getting a new error: 

$ sudo -i bash
sudo: ldap_sasl_bind_s(): Can't contact LDAP server

I know that this particular Solaris server can communicate with the LDAP server.  I'll attempt your second suggestion and by that I'm assuming you mean re-compile with --with-libpath=/path/to/openldap/libs?

Thanks,
Dan.

-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: 26 July 2012 14:39
To: Daniel Crisp
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()

The Solaris LDAP libraries do not support the start_tls extension.
You can use LDAP over SSL (e.g. "ssl on" in ldap.conf) but not start_tls.

Alternately, you could link sudo against the OpenLDAP libraries instead of the Solaris LDAP libraries.

What's particularly annoying is that there *is* actually some start_tls support in Solaris LDAP, but it is not exported for client programs to use so there's no way for sudo to use it.

 - todd




More information about the sudo-users mailing list