[sudo-users] LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()
Daniel.Crisp at Xchanging.com
Thu Jul 26 11:08:43 EDT 2012
Thanks for the advice Todd.
I've altered my ldap.conf according but now I seem to be getting a new error:
$ sudo -i bash
sudo: ldap_sasl_bind_s(): Can't contact LDAP server
I know that this particular Solaris server can communicate with the LDAP server. I'll attempt your second suggestion and by that I'm assuming you mean re-compile with --with-libpath=/path/to/openldap/libs?
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
Sent: 26 July 2012 14:39
To: Daniel Crisp
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()
The Solaris LDAP libraries do not support the start_tls extension.
You can use LDAP over SSL (e.g. "ssl on" in ldap.conf) but not start_tls.
Alternately, you could link sudo against the OpenLDAP libraries instead of the Solaris LDAP libraries.
What's particularly annoying is that there *is* actually some start_tls support in Solaris LDAP, but it is not exported for client programs to use so there's no way for sudo to use it.
More information about the sudo-users