[sudo-users] LDAPS + sudo + AIX 7.1

ace man kevev at hotmail.com
Tue Aug 20 14:07:41 MDT 2013 

Sorry Todd. I am not very  skilled at merging code.

patch -i ldap.c.patch
patch: 3016-037 Malformed patch at line 4:  } else

I guess I can make the changes manually.

> From: Todd.Miller at courtesan.com
> To: kevev at hotmail.com
> CC: sudo-users at sudo.ws
> Subject: Re: [sudo-users] LDAPS + sudo + AIX 7.1
> Date: Tue, 20 Aug 2013 10:37:57 -0600
> 
> I don't have an AIX machine with the IBM ldap libs to test on but
> I have verified that sudo works on Solaris with IBM ldap 6.3 libs.
> The LDAP server I'm running is OpenLDAP.
> 
> Looking at your ldap.conf file, I think you may need to remove the
> quotes from the TLS_KEYPW parameter.
> 
> You also might try using start_tls instead of an ldaps connection.
> E.g.
> 
> uri ldap://server1.local ldap://server2.local
> ssl start_tls
> 
> Below is a patch that gives a better error message from
> ldap_ssl_client_init().  It may help track down the issue.  You'll
> need to look up the ssl reason code online.
> 
>  - todd
> 
> diff -r 6c7cec552ea3 plugins/sudoers/ldap.c
> --- a/plugins/sudoers/ldap.c	Wed Jun 12 20:53:44 2013 -0400
> +++ b/plugins/sudoers/ldap.c	Tue Aug 20 10:20:48 2013 -0600
> @@ -603,8 +603,12 @@
>      } else
>  #elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT)
>      if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
> -	if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
> -	    warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
> +	int sslrc;
> +	rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
> +	    0, &sslrc);
> +	if (rc != LDAP_SUCCESS) {
> +	    warningx("ldap_ssl_client_init(): %s (SSL reason code %d)",
> +		ldap_err2string(rc), sslrc);
>  	    debug_return_int(-1);
>  	}
>  	DPRINTF2("ldap_ssl_init(%s, %d, NULL)", host, port);
> @@ -2345,8 +2349,12 @@
>  	}
>  	DPRINTF1("ldap_start_tls_s() ok");
>  #elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP)
> -	if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
> -	    warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
> +	int sslrc;
> +	rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
> +	    0, &sslrc);
> +	if (rc != LDAP_SUCCESS) {
> +	    warningx("ldap_ssl_client_init(): %s (SSL reason code %d)",
> +		ldap_err2string(rc), sslrc);
>  	    debug_return_int(-1);
>  	}
>  	rc = ldap_start_tls_s_np(ld, NULL);

More information about the sudo-users mailing list