[sudo-users] LDAPS + sudo + AIX 7.1
kevev at hotmail.com
Thu Oct 24 11:05:49 MDT 2013
That is what I have set. I am also using the IBM 6.3 libraries.
Right now I am running a script I wrote every minute in cron till this gets fixed.
It will detect a downed ldap server via telnet to port 389 and update the /etc/ldap.conf file.
It is weird that the LDAP client for user authentication can failover but sudo can't.
> From: Todd.Miller at courtesan.com
> To: kevev at hotmail.com
> CC: sudo-users at sudo.ws
> Subject: Re: [sudo-users] LDAPS + sudo + AIX 7.1
> Date: Wed, 23 Oct 2013 09:00:21 -0600
> On Wed, 23 Oct 2013 07:06:20 -0500, ace man wrote:
> > Thank You for the reply. I am only seeing one being parsed with both hostname
> > s
> > in the one uri line. The first hostname is used always. If I disabled the
> > first LDAP server sudo never tries the second one.
> That's really up to the LDAP libraries and not something sudo has
> direct control over. When testing sudo 1.8.8 with IBM ldap 6.3 on
> Solaris (I don't have an AIX test machine for LDAP sudo) I do see
> it failover to the second LDAP server after 30 seconds with the
> following in ldap.conf:
> # 30 second timeout
> bind_timelimit 30
> You can set bind_timelimit to be shorter if you want. You will
> need to use a single URI line in ldap.conf due to the bug discussed
> - todd
More information about the sudo-users