[sudo-users] LDAPS + sudo + AIX 7.1

Todd C. Miller Todd.Miller at courtesan.com
Wed Oct 23 09:00:21 MDT 2013

On Wed, 23 Oct 2013 07:06:20 -0500, ace man wrote:

> Thank You for the reply. I am only seeing one being parsed with both hostname
> s
> in the one uri line. The first hostname is used always. If I disabled the
> first LDAP server sudo never tries the second one.

That's really up to the LDAP libraries and not something sudo has
direct control over.  When testing sudo 1.8.8 with IBM ldap 6.3 on
Solaris (I don't have an AIX test machine for LDAP sudo) I do see
it failover to the second LDAP server after 30 seconds with the
following in ldap.conf:

# 30 second timeout
bind_timelimit 30

You can set bind_timelimit to be shorter if you want.  You will
need to use a single URI line in ldap.conf due to the bug discussed

 - todd

More information about the sudo-users mailing list