[sudo-users] LDAPS + sudo + AIX 7.1
Todd C. Miller
Todd.Miller at courtesan.com
Tue Aug 20 10:37:57 MDT 2013
I don't have an AIX machine with the IBM ldap libs to test on but
I have verified that sudo works on Solaris with IBM ldap 6.3 libs.
The LDAP server I'm running is OpenLDAP.
Looking at your ldap.conf file, I think you may need to remove the
quotes from the TLS_KEYPW parameter.
You also might try using start_tls instead of an ldaps connection.
E.g.
uri ldap://server1.local ldap://server2.local
ssl start_tls
Below is a patch that gives a better error message from
ldap_ssl_client_init(). It may help track down the issue. You'll
need to look up the ssl reason code online.
- todd
diff -r 6c7cec552ea3 plugins/sudoers/ldap.c
--- a/plugins/sudoers/ldap.c Wed Jun 12 20:53:44 2013 -0400
+++ b/plugins/sudoers/ldap.c Tue Aug 20 10:20:48 2013 -0600
@@ -603,8 +603,12 @@
} else
#elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT)
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
- if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
- warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
+ int sslrc;
+ rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
+ 0, &sslrc);
+ if (rc != LDAP_SUCCESS) {
+ warningx("ldap_ssl_client_init(): %s (SSL reason code %d)",
+ ldap_err2string(rc), sslrc);
debug_return_int(-1);
}
DPRINTF2("ldap_ssl_init(%s, %d, NULL)", host, port);
@@ -2345,8 +2349,12 @@
}
DPRINTF1("ldap_start_tls_s() ok");
#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP)
- if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
- warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
+ int sslrc;
+ rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
+ 0, &sslrc);
+ if (rc != LDAP_SUCCESS) {
+ warningx("ldap_ssl_client_init(): %s (SSL reason code %d)",
+ ldap_err2string(rc), sslrc);
debug_return_int(-1);
}
rc = ldap_start_tls_s_np(ld, NULL);
More information about the sudo-users
mailing list