[sudo-users] LDAPS + sudo + AIX 7.1

[Todd C. Miller]

I don't have an AIX machine with the IBM ldap libs to test on but
I have verified that sudo works on Solaris with IBM ldap 6.3 libs.
The LDAP server I'm running is OpenLDAP.

Looking at your ldap.conf file, I think you may need to remove the
quotes from the TLS_KEYPW parameter.

You also might try using start_tls instead of an ldaps connection.
E.g.

uri ldap://server1.local ldap://server2.local
ssl start_tls

Below is a patch that gives a better error message from
ldap_ssl_client_init().  It may help track down the issue.  You'll
need to look up the ssl reason code online.

 - todd

diff -r 6c7cec552ea3 plugins/sudoers/ldap.c
--- a/plugins/sudoers/ldap.c	Wed Jun 12 20:53:44 2013 -0400
+++ b/plugins/sudoers/ldap.c	Tue Aug 20 10:20:48 2013 -0600
@@ -603,8 +603,12 @@
     } else
 #elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT)
     if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
-	if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
-	    warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
+	int sslrc;
+	rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
+	    0, &sslrc);
+	if (rc != LDAP_SUCCESS) {
+	    warningx("ldap_ssl_client_init(): %s (SSL reason code %d)",
+		ldap_err2string(rc), sslrc);
 	    debug_return_int(-1);
 	}
 	DPRINTF2("ldap_ssl_init(%s, %d, NULL)", host, port);
@@ -2345,8 +2349,12 @@
 	}
 	DPRINTF1("ldap_start_tls_s() ok");
 #elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP)
-	if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
-	    warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
+	int sslrc;
+	rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
+	    0, &sslrc);
+	if (rc != LDAP_SUCCESS) {
+	    warningx("ldap_ssl_client_init(): %s (SSL reason code %d)",
+		ldap_err2string(rc), sslrc);
 	    debug_return_int(-1);
 	}
 	rc = ldap_start_tls_s_np(ld, NULL);