[sudo-users] sudo-1.8.13 libibmldap.a dependency error

Todd C. Miller Todd.Miller at courtesan.com
Fri May 22 14:33:36 MDT 2015 

On Fri, 22 May 2015 11:07:48 -0600, Robert Sabo Sipos wrote:

> My next challenge is configuring /etc/sudo-ldap.conf correctly. In our LDAP
> implementation only encrypted traffic on port 636 is allowed (port 389 is
> blocked on the firewalls) and binding to LDAP servers is through a specific
> user (proxyuser) and password. Additionally our cert kdb file is protected
> with a password as well.
> 
> I created /etc/sudo-ldap.conf manually and have the following in it
> (sanitized):
> 
> binddn cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
> bindpwd <proxyuser cleartext password>

This should be "bindpw" not "bindpwd"

> tls_key </path/to/our.kdb>
> tls_keypw <cleartext password for our.kdb>
> tls_checker no
> uri ldaps://ldap-west.company.com:636 ldaps://ldap-east.company.com:636
> sudoers_base ou=SUDOers,ou=internal,o=company
> bind_timelimit 30
> timelimit 30
> sudoers_debug 2

> However I am getting "ldap_sasl_bind_s(): Inappropriate authentication":
> 
> # sudo -V | grep ldap
> sudo: LDAP Config Summary
> sudo: ===================
> sudo: uri              ldaps://ldap-west.company.com:636
> ldaps://ldap-east.company.com:636
> sudo: ldap_version     3
> sudo: sudoers_base     ou=SUDOers,ou=internal,o=company
> sudo: search_filter    (objectClass=sudoRole)
> sudo: netgroup_base (NONE: will use nsswitch)
> sudo: netgroup_search_filter (objectClass=nisNetgroup)
> sudo: binddn
> cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
> sudo: bindpw           (anonymous)
> sudo: bind_timelimit   30
> sudo: timelimit        30
> sudo: ssl              (no)
> sudo: tls_keyfile      /path/to/our.kdb
> sudo: ===================
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: timelimit -> 30
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
> sudo: ldap_sasl_bind_s(): Inappropriate authentication
> Configure options: --prefix=/opt/freeware --mandir=/opt/freeware/man
> --with-insults=disabled --with-logging=syslog --with-logfac=auth
> --with-editor=/usr/bin/vi --with-env-editor --enable-zlib=builtin
> --disable-nls --with-sendmail=/usr/sbin/sendmail --with-aixauth
> --with-ldap=/opt/IBM/ldap/V6.3 --with-ldap-conf-file=/etc/sudo-ldap.conf
> --with-ignore-dot
> ldap.conf path: /etc/sudo-ldap.conf
> ldap.secret path: /etc/ldap.secret
> 
> I notice bindpw states (anonymous) which is not what I'd expect to
> see, so I'm likely missing something in the configuration. I currently
> have bindpwd and tls_keypw in cleartext in /etc/sudo-ldap.conf, can
> they be specified in the same encrypted format as in
> /etc/security/ldap/ldap.cfg?

Currently the only supported format for BINDPW are plain text and
base64.  I'm not sure how the ldap.cfg bindpwd encryption works on
AIX and whether or not sudo would have to decrypt it or if the LDAP
libraries would do it for us.

> Also does /etc/sudo-ldap.conf need specific file ownership and permissions?
> It is currently set to root:system with 600 permissions.

That should be fine.

 - todd

More information about the sudo-users mailing list