[sudo-users] sudo-1.8.13 libibmldap.a dependency error
Robert Sabo Sipos
Robert.Sabo_Sipos at telus.com
Fri May 22 11:07:48 MDT 2015
Thanks for the quick reply. Correct, the IBM LDAP package was installed via installp bff format.
I've rebuilt sudo as an installp-style package and now it installs cleanly. Thanks again.
My next challenge is configuring /etc/sudo-ldap.conf correctly. In our LDAP implementation only encrypted traffic on port 636 is allowed (port 389 is blocked on the firewalls) and binding to LDAP servers is through a specific user (proxyuser) and password. Additionally our cert kdb file is protected with a password as well.
I created /etc/sudo-ldap.conf manually and have the following in it (sanitized):
bindpwd <proxyuser cleartext password>
tls_keypw <cleartext password for our.kdb>
uri ldaps://ldap-west.company.com:636 ldaps://ldap-east.company.com:636
However I am getting "ldap_sasl_bind_s(): Inappropriate authentication":
# sudo -V | grep ldap
sudo: LDAP Config Summary
sudo: uri ldaps://ldap-west.company.com:636 ldaps://ldap-east.company.com:636
sudo: ldap_version 3
sudo: sudoers_base ou=SUDOers,ou=internal,o=company
sudo: search_filter (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
sudo: bindpw (anonymous)
sudo: bind_timelimit 30
sudo: timelimit 30
sudo: ssl (no)
sudo: tls_keyfile /path/to/our.kdb
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
sudo: ldap_sasl_bind_s(): Inappropriate authentication
Configure options: --prefix=/opt/freeware --mandir=/opt/freeware/man --with-insults=disabled --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vi --with-env-editor --enable-zlib=builtin --disable-nls --with-sendmail=/usr/sbin/sendmail --with-aixauth --with-ldap=/opt/IBM/ldap/V6.3 --with-ldap-conf-file=/etc/sudo-ldap.conf --with-ignore-dot
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
I notice bindpw states (anonymous) which is not what I'd expect to see, so I'm likely missing something in the configuration. I currently have bindpwd and tls_keypw in cleartext in /etc/sudo-ldap.conf, can they be specified in the same encrypted format as in /etc/security/ldap/ldap.cfg?
Also does /etc/sudo-ldap.conf need specific file ownership and permissions? It is currently set to root:system with 600 permissions.
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
Sent: May 22, 2015 07:16 AM
To: Robert Sabo Sipos
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] sudo-1.8.13 libibmldap.a dependency error
My guess is that the IBM LDAP package was installed via installp
and not rpm and thus rpm doesn't know that it is installed.
You should be able install the rpm you build using the --nodeps
flag. Alternately, you could just build an installp-style package.
More information about the sudo-users