[sudo-users] sudo-1.8.13 libibmldap.a dependency error

Robert Sabo Sipos Robert.Sabo_Sipos at telus.com
Fri May 22 11:07:48 MDT 2015

Thanks for the quick reply. Correct, the IBM LDAP package was installed via installp bff format.

I've rebuilt sudo as an installp-style package and now it installs cleanly. Thanks again.

My next challenge is configuring /etc/sudo-ldap.conf correctly. In our LDAP implementation only encrypted traffic on port 636 is allowed (port 389 is blocked on the firewalls) and binding to LDAP servers is through a specific user (proxyuser) and password. Additionally our cert kdb file is protected with a password as well.

I created /etc/sudo-ldap.conf manually and have the following in it (sanitized):

binddn cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
bindpwd <proxyuser cleartext password>
tls_key </path/to/our.kdb>
tls_keypw <cleartext password for our.kdb>
tls_checker no
uri ldaps://ldap-west.company.com:636 ldaps://ldap-east.company.com:636
sudoers_base ou=SUDOers,ou=internal,o=company
bind_timelimit 30
timelimit 30
sudoers_debug 2

However I am getting "ldap_sasl_bind_s(): Inappropriate authentication":

# sudo -V | grep ldap
sudo: LDAP Config Summary
sudo: ===================
sudo: uri              ldaps://ldap-west.company.com:636 ldaps://ldap-east.company.com:636
sudo: ldap_version     3
sudo: sudoers_base     ou=SUDOers,ou=internal,o=company
sudo: search_filter    (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn           cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
sudo: bindpw           (anonymous)
sudo: bind_timelimit   30
sudo: timelimit        30
sudo: ssl              (no)
sudo: tls_keyfile      /path/to/our.kdb
sudo: ===================
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
sudo: ldap_sasl_bind_s(): Inappropriate authentication
Configure options: --prefix=/opt/freeware --mandir=/opt/freeware/man --with-insults=disabled --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vi --with-env-editor --enable-zlib=builtin --disable-nls --with-sendmail=/usr/sbin/sendmail --with-aixauth --with-ldap=/opt/IBM/ldap/V6.3 --with-ldap-conf-file=/etc/sudo-ldap.conf --with-ignore-dot
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret

I notice bindpw states (anonymous) which is not what I'd expect to see, so I'm likely missing something in the configuration. I currently have bindpwd and tls_keypw in cleartext in /etc/sudo-ldap.conf, can they be specified in the same encrypted format as in /etc/security/ldap/ldap.cfg?

Also does /etc/sudo-ldap.conf need specific file ownership and permissions? It is currently set to root:system with 600 permissions.



-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: May 22, 2015 07:16 AM
To: Robert Sabo Sipos
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] sudo-1.8.13 libibmldap.a dependency error

My guess is that the IBM LDAP package was installed via installp
and not rpm and thus rpm doesn't know that it is installed.

You should be able install the rpm you build using the --nodeps
flag.  Alternately, you could just build an installp-style package.

 - todd

More information about the sudo-users mailing list