[sudo-users] sudo-1.8.13 libibmldap.a dependency error
Harold Gutierrez
harold.gc at gmail.com
Fri May 22 13:13:25 MDT 2015
Robert,
On AIX we use openldap client that comes with toolbox insted of the IBM
client, and it works with no issues so far.
Regards,
Harold.
On Fri, May 22, 2015 at 12:51 PM Robert Sabo Sipos <
Robert.Sabo_Sipos at telus.com> wrote:
>
> Thanks for the quick reply. Correct, the IBM LDAP package was installed
> via installp bff format.
>
> I've rebuilt sudo as an installp-style package and now it installs
> cleanly. Thanks again.
>
> My next challenge is configuring /etc/sudo-ldap.conf correctly. In our
> LDAP implementation only encrypted traffic on port 636 is allowed (port 389
> is blocked on the firewalls) and binding to LDAP servers is through a
> specific user (proxyuser) and password. Additionally our cert kdb file is
> protected with a password as well.
>
> I created /etc/sudo-ldap.conf manually and have the following in it
> (sanitized):
>
> binddn cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
> bindpwd <proxyuser cleartext password>
> tls_key </path/to/our.kdb>
> tls_keypw <cleartext password for our.kdb>
> tls_checker no
> uri ldaps://ldap-west.company.com:636 ldaps://ldap-east.company.com:636
> sudoers_base ou=SUDOers,ou=internal,o=company
> bind_timelimit 30
> timelimit 30
> sudoers_debug 2
>
> However I am getting "ldap_sasl_bind_s(): Inappropriate authentication":
>
> # sudo -V | grep ldap
> sudo: LDAP Config Summary
> sudo: ===================
> sudo: uri ldaps://ldap-west.company.com:636 ldaps://
> ldap-east.company.com:636
> sudo: ldap_version 3
> sudo: sudoers_base ou=SUDOers,ou=internal,o=company
> sudo: search_filter (objectClass=sudoRole)
> sudo: netgroup_base (NONE: will use nsswitch)
> sudo: netgroup_search_filter (objectClass=nisNetgroup)
> sudo: binddn
> cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
> sudo: bindpw (anonymous)
> sudo: bind_timelimit 30
> sudo: timelimit 30
> sudo: ssl (no)
> sudo: tls_keyfile /path/to/our.kdb
> sudo: ===================
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: timelimit -> 30
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
> sudo: ldap_sasl_bind_s(): Inappropriate authentication
> Configure options: --prefix=/opt/freeware --mandir=/opt/freeware/man
> --with-insults=disabled --with-logging=syslog --with-logfac=auth
> --with-editor=/usr/bin/vi --with-env-editor --enable-zlib=builtin
> --disable-nls --with-sendmail=/usr/sbin/sendmail --with-aixauth
> --with-ldap=/opt/IBM/ldap/V6.3 --with-ldap-conf-file=/etc/sudo-ldap.conf
> --with-ignore-dot
> ldap.conf path: /etc/sudo-ldap.conf
> ldap.secret path: /etc/ldap.secret
>
> I notice bindpw states (anonymous) which is not what I'd expect to see, so
> I'm likely missing something in the configuration. I currently have bindpwd
> and tls_keypw in cleartext in /etc/sudo-ldap.conf, can they be specified in
> the same encrypted format as in /etc/security/ldap/ldap.cfg?
>
> Also does /etc/sudo-ldap.conf need specific file ownership and
> permissions? It is currently set to root:system with 600 permissions.
>
>
>
>
>
>
>
> -----Original Message-----
> From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
> Sent: May 22, 2015 07:16 AM
> To: Robert Sabo Sipos
> Cc: sudo-users at sudo.ws
> Subject: Re: [sudo-users] sudo-1.8.13 libibmldap.a dependency error
>
> My guess is that the IBM LDAP package was installed via installp
> and not rpm and thus rpm doesn't know that it is installed.
>
> You should be able install the rpm you build using the --nodeps
> flag. Alternately, you could just build an installp-style package.
>
> - todd
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list