[sudo-users] LDAPS + sudo + AIX 7.1

ace man kevev at hotmail.com
Wed Aug 28 07:55:36 MDT 2013

Here is my AIX 7.1 + LDAP w/TLS Sudoers tutorial. I hope that it can help others. Thank You Todd Miller for all the support.  :o)

                                                `rpm -Uvh db-3.3.11-4.aix5.1.ppc.rpm gcc-4.2.0-3.aix6.1.ppc.rpm openldap-2.0.21-4.aix4.3.ppc.rpm`
                                2.) Extract the Sudo source:
                                                `gzip -cd sudo-1.8.7.tar.gz | tar xvf -`
                                3.) Compile the source & Install:
                                                a.) `cd sudo-1.8.7`
                                                b.) `mkpkg --flavor=ldap --prefix=/opt/freeware --with-insults=disabled --mandir=/opt/freeware/man --with-aixauth --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vi --with-env-editor --enable-zlib=builtin --disable-nls --with-sendmail=/usr/sbin/sendmail --with-ldap=/opt/IBM/ldap/V6.3 --with-incpath=/opt/IBM/ldap/V6.3/include --with-libpath=/opt/IBM/ldap/V6.3/lib --with-ldap-conf-file=/etc/ldap.conf`
                                                d.)  `installp -a -d sudo-ldap. all`
                                4.) `vi /etc/ldap.conf`
TLS_KEY /ssl_client_sudoers/serverauth_client.kdb
TLS_KEYPW password123
base dc=ldap,dc=local
timelimit 5
bind_timelimit 5
idle_timelimit 3600
uri ldap://server1.local/
uri ldap://server2.local/
ssl start_tls
SUDOERS_BASE   ou=SUDOers,dc=ldap,dc=local
tls_checkpeer yes
#sudoers_debug 2
                                5.) `vi /etc/netsvc.conf`
sudoers = ldap, files
                                6.) Import the Certificate Authority Cert:
                                                a.) `mkdir /ssl_client_sudoers`
                                                b.) `cd /ssl_client_sudoers`
                                                c.) `gsk8capicmd -keydb -create -db serverauth_client.kdb -pw '########'`
                                                                ***Replace '#######' with the cert password you chose from the "TLS_KEYPW" entry in the /etc/ldap.conf file.***
                                                                ***Do not use special characters in the password as sudoers does not like them.***
                                                d.) Copy the Certificate Authority Certificate(mine is cacert.asc) from one of the LDAP servers to the /ssl_client_sudoers directory on the client.
                                                e.) Import the cert the the database:
                                                                `gsk8capicmd -cert -add -db serverauth_client.kdb -label serverauth -file cacert.asc -format ascii`
                                                                                ***Enter the password chosen in the last step.***
                                                f.) Verify the cert has been import3ed:
                                                                `gsk8capicmd -cert -list -db serverauth_client.kdb`
                                                                                ***Enter the password chosen in the last step.***
                1.) If you have issue, to enable debugging you may uncomment "sudoers_debug 2" in /etc/ldap.conf.
                2.) If you wish to remove the package:
                                a.) Remove sudo:
                                                `installp -u sudo-ldap.rte`
                3.) If you wish to remove a cert:
                                a.) Remove a cert:
                                                `gsk8capicmd -cert -delete -label "server1 Server-Cert" -db serverauth_client.kdb`
                                                                ***Replace "server1 Server-Cert" with the correct cert label/name.***

> From: kevev at hotmail.com
> To: todd.miller at courtesan.com
> Date: Wed, 28 Aug 2013 08:03:54 -0500
> CC: sudo-users at sudo.ws
> Subject: Re: [sudo-users] LDAPS + sudo + AIX 7.1
> I figured out my issue. It seems as though sudoers or AIX does not like special characters in the TLS_KEYPW field.
> My password was like so #TssE!4v
> I tried encapsulating it in single quotes '' and using escape character \ . Nothing worked. I am using a non-complex password and everything works now. I will post my tutorial for anyone else who has this same issue.
> > From: Todd.Miller at courtesan.com
> > To: kevev at hotmail.com
> > CC: sudo-users at sudo.ws
> > Subject: Re: [sudo-users] LDAPS + sudo + AIX 7.1
> > Date: Thu, 22 Aug 2013 08:19:33 -0600
> > 
> > On Thu, 22 Aug 2013 07:43:03 -0500, ace man wrote:
> > 
> > > WIth the correct password I get  "Failed to connect to ssl server"
> > > It looks like "ssl start_tls" is trying to connect via port 389 even though I
> > > have "PORT 636" set in ldap.conf.
> > > This is no good since I use port 636 for SSL/TLS.
> > 
> > There are two ways to do encrypted LDAP.  You can do ldaps on port
> > 636 where the connection is encrypted from the beginning.  Or you
> > can use start_tls which uses port 389 and then negotiates TLS.
> > These days, start_tls is the standard way to do encrypted LDAP.
> > 
> >  - todd
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list