[sudo-users] LDAPS + sudo + AIX 7.1
ace man
kevev at hotmail.com
Wed Aug 28 07:55:36 MDT 2013
Here is my AIX 7.1 + LDAP w/TLS Sudoers tutorial. I hope that it can help others. Thank You Todd Miller for all the support. :o)
`rpm -Uvh db-3.3.11-4.aix5.1.ppc.rpm gcc-4.2.0-3.aix6.1.ppc.rpm openldap-2.0.21-4.aix4.3.ppc.rpm`
2.) Extract the Sudo source:
`gzip -cd sudo-1.8.7.tar.gz | tar xvf -`
3.) Compile the source & Install:
a.) `cd sudo-1.8.7`
b.) `mkpkg --flavor=ldap --prefix=/opt/freeware --with-insults=disabled --mandir=/opt/freeware/man --with-aixauth --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vi --with-env-editor --enable-zlib=builtin --disable-nls --with-sendmail=/usr/sbin/sendmail --with-ldap=/opt/IBM/ldap/V6.3 --with-incpath=/opt/IBM/ldap/V6.3/include --with-libpath=/opt/IBM/ldap/V6.3/lib --with-ldap-conf-file=/etc/ldap.conf`
d.) `installp -a -d sudo-ldap.1.8.7.0.bff all`
4.) `vi /etc/ldap.conf`
TLS_KEY /ssl_client_sudoers/serverauth_client.kdb
TLS_KEYPW password123
base dc=ldap,dc=local
timelimit 5
bind_timelimit 5
idle_timelimit 3600
uri ldap://server1.local/
uri ldap://server2.local/
ssl start_tls
SUDOERS_BASE ou=SUDOers,dc=ldap,dc=local
tls_checkpeer yes
#sudoers_debug 2
5.) `vi /etc/netsvc.conf`
sudoers = ldap, files
6.) Import the Certificate Authority Cert:
a.) `mkdir /ssl_client_sudoers`
b.) `cd /ssl_client_sudoers`
c.) `gsk8capicmd -keydb -create -db serverauth_client.kdb -pw '########'`
***Replace '#######' with the cert password you chose from the "TLS_KEYPW" entry in the /etc/ldap.conf file.***
***Do not use special characters in the password as sudoers does not like them.***
d.) Copy the Certificate Authority Certificate(mine is cacert.asc) from one of the LDAP servers to the /ssl_client_sudoers directory on the client.
e.) Import the cert the the database:
`gsk8capicmd -cert -add -db serverauth_client.kdb -label serverauth -file cacert.asc -format ascii`
***Enter the password chosen in the last step.***
f.) Verify the cert has been import3ed:
`gsk8capicmd -cert -list -db serverauth_client.kdb`
***Enter the password chosen in the last step.***
Notes:
1.) If you have issue, to enable debugging you may uncomment "sudoers_debug 2" in /etc/ldap.conf.
2.) If you wish to remove the package:
a.) Remove sudo:
`installp -u sudo-ldap.rte`
3.) If you wish to remove a cert:
a.) Remove a cert:
`gsk8capicmd -cert -delete -label "server1 Server-Cert" -db serverauth_client.kdb`
***Replace "server1 Server-Cert" with the correct cert label/name.***
> From: kevev at hotmail.com
> To: todd.miller at courtesan.com
> Date: Wed, 28 Aug 2013 08:03:54 -0500
> CC: sudo-users at sudo.ws
> Subject: Re: [sudo-users] LDAPS + sudo + AIX 7.1
>
> I figured out my issue. It seems as though sudoers or AIX does not like special characters in the TLS_KEYPW field.
>
> My password was like so #TssE!4v
>
> I tried encapsulating it in single quotes '' and using escape character \ . Nothing worked. I am using a non-complex password and everything works now. I will post my tutorial for anyone else who has this same issue.
>
> > From: Todd.Miller at courtesan.com
> > To: kevev at hotmail.com
> > CC: sudo-users at sudo.ws
> > Subject: Re: [sudo-users] LDAPS + sudo + AIX 7.1
> > Date: Thu, 22 Aug 2013 08:19:33 -0600
> >
> > On Thu, 22 Aug 2013 07:43:03 -0500, ace man wrote:
> >
> > > WIth the correct password I get "Failed to connect to ssl server"
> > > It looks like "ssl start_tls" is trying to connect via port 389 even though I
> > > have "PORT 636" set in ldap.conf.
> > > This is no good since I use port 636 for SSL/TLS.
> >
> > There are two ways to do encrypted LDAP. You can do ldaps on port
> > 636 where the connection is encrypted from the beginning. Or you
> > can use start_tls which uses port 389 and then negotiates TLS.
> > These days, start_tls is the standard way to do encrypted LDAP.
> >
> > - todd
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list