[sudo-users] LDAPS + sudo + AIX 7.1
ace man
kevev at hotmail.com
Tue Aug 20 14:07:41 MDT 2013
Sorry Todd. I am not very skilled at merging code.
patch -i ldap.c.patch
patch: 3016-037 Malformed patch at line 4: } else
I guess I can make the changes manually.
> From: Todd.Miller at courtesan.com
> To: kevev at hotmail.com
> CC: sudo-users at sudo.ws
> Subject: Re: [sudo-users] LDAPS + sudo + AIX 7.1
> Date: Tue, 20 Aug 2013 10:37:57 -0600
>
> I don't have an AIX machine with the IBM ldap libs to test on but
> I have verified that sudo works on Solaris with IBM ldap 6.3 libs.
> The LDAP server I'm running is OpenLDAP.
>
> Looking at your ldap.conf file, I think you may need to remove the
> quotes from the TLS_KEYPW parameter.
>
> You also might try using start_tls instead of an ldaps connection.
> E.g.
>
> uri ldap://server1.local ldap://server2.local
> ssl start_tls
>
> Below is a patch that gives a better error message from
> ldap_ssl_client_init(). It may help track down the issue. You'll
> need to look up the ssl reason code online.
>
> - todd
>
> diff -r 6c7cec552ea3 plugins/sudoers/ldap.c
> --- a/plugins/sudoers/ldap.c Wed Jun 12 20:53:44 2013 -0400
> +++ b/plugins/sudoers/ldap.c Tue Aug 20 10:20:48 2013 -0600
> @@ -603,8 +603,12 @@
> } else
> #elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT)
> if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
> - if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
> - warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
> + int sslrc;
> + rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
> + 0, &sslrc);
> + if (rc != LDAP_SUCCESS) {
> + warningx("ldap_ssl_client_init(): %s (SSL reason code %d)",
> + ldap_err2string(rc), sslrc);
> debug_return_int(-1);
> }
> DPRINTF2("ldap_ssl_init(%s, %d, NULL)", host, port);
> @@ -2345,8 +2349,12 @@
> }
> DPRINTF1("ldap_start_tls_s() ok");
> #elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP)
> - if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
> - warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
> + int sslrc;
> + rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
> + 0, &sslrc);
> + if (rc != LDAP_SUCCESS) {
> + warningx("ldap_ssl_client_init(): %s (SSL reason code %d)",
> + ldap_err2string(rc), sslrc);
> debug_return_int(-1);
> }
> rc = ldap_start_tls_s_np(ld, NULL);
More information about the sudo-users
mailing list