[sudo-users] sudo-1.8.13 libibmldap.a dependency error

Robert Sabo Sipos Robert.Sabo_Sipos at telus.com
Fri May 22 14:38:27 MDT 2015 

Thanks Harold, unfortunately openldap client on AIX is not an option for us. Short story, the design of the solution stipulates the use of native LDAP clients for each O/S involved - for example RHEL is using SSSD, Solaris it’s native client, and on AIX it means IBM/Tivoli client. The server side is actually a SUN/Oracle product (again something that can’t be influenced/changed).

BTW, AIX Toolbox for Linux is not without its issues, not the least that it is provided on an as-is basis (very different from an official IBM support like the rest of AIX). Secondly, versions of package there appear frozen in time, and with very rare exceptions (like in the case of Bash Shellshock vulnerability) IBM has been very reluctant to release updated packages. And even in case of those rare exceptions AIX Toolbox appears to receive patches way after all other vendors already had them available for a while, which unfortunately could mean extended period of exposure to security issues.

But I digress - IBM LDAP client also works just fine for everything else we need in our environment, sudo is just the last piece in the puzzle. That said it would appear other people have successfully used sudo with IBM LDAP libraries, so it is quite likely that my issue with sudo integration may be down to a (simple?) configuration issue.

Robert


From: Harold Gutierrez [mailto:harold.gc at gmail.com]
Sent: May 22, 2015 12:13 PM
To: Robert Sabo Sipos; Todd C. Miller
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] sudo-1.8.13 libibmldap.a dependency error

Robert,
    On AIX we use openldap client that comes with toolbox insted of the IBM client, and it works with no issues so far.

Regards,
Harold.

On Fri, May 22, 2015 at 12:51 PM Robert Sabo Sipos <Robert.Sabo_Sipos at telus.com<mailto:Robert.Sabo_Sipos at telus.com>> wrote:

Thanks for the quick reply. Correct, the IBM LDAP package was installed via installp bff format.

I've rebuilt sudo as an installp-style package and now it installs cleanly. Thanks again.

My next challenge is configuring /etc/sudo-ldap.conf correctly. In our LDAP implementation only encrypted traffic on port 636 is allowed (port 389 is blocked on the firewalls) and binding to LDAP servers is through a specific user (proxyuser) and password. Additionally our cert kdb file is protected with a password as well.

I created /etc/sudo-ldap.conf manually and have the following in it (sanitized):

binddn cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
bindpwd <proxyuser cleartext password>
tls_key </path/to/our.kdb>
tls_keypw <cleartext password for our.kdb>
tls_checker no
uri ldaps://ldap-west.company.com:636<http://ldap-west.company.com:636> ldaps://ldap-east.company.com:636<http://ldap-east.company.com:636>
sudoers_base ou=SUDOers,ou=internal,o=company
bind_timelimit 30
timelimit 30
sudoers_debug 2

However I am getting "ldap_sasl_bind_s(): Inappropriate authentication":

# sudo -V | grep ldap
sudo: LDAP Config Summary
sudo: ===================
sudo: uri              ldaps://ldap-west.company.com:636<http://ldap-west.company.com:636> ldaps://ldap-east.company.com:636<http://ldap-east.company.com:636>
sudo: ldap_version     3
sudo: sudoers_base     ou=SUDOers,ou=internal,o=company
sudo: search_filter    (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn           cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
sudo: bindpw           (anonymous)
sudo: bind_timelimit   30
sudo: timelimit        30
sudo: ssl              (no)
sudo: tls_keyfile      /path/to/our.kdb
sudo: ===================
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
sudo: ldap_sasl_bind_s(): Inappropriate authentication
Configure options: --prefix=/opt/freeware --mandir=/opt/freeware/man --with-insults=disabled --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vi --with-env-editor --enable-zlib=builtin --disable-nls --with-sendmail=/usr/sbin/sendmail --with-aixauth --with-ldap=/opt/IBM/ldap/V6.3 --with-ldap-conf-file=/etc/sudo-ldap.conf --with-ignore-dot
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret

I notice bindpw states (anonymous) which is not what I'd expect to see, so I'm likely missing something in the configuration. I currently have bindpwd and tls_keypw in cleartext in /etc/sudo-ldap.conf, can they be specified in the same encrypted format as in /etc/security/ldap/ldap.cfg?

Also does /etc/sudo-ldap.conf need specific file ownership and permissions? It is currently set to root:system with 600 permissions.







-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com<mailto:Todd.Miller at courtesan.com>]
Sent: May 22, 2015 07:16 AM
To: Robert Sabo Sipos
Cc: sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>
Subject: Re: [sudo-users] sudo-1.8.13 libibmldap.a dependency error

My guess is that the IBM LDAP package was installed via installp
and not rpm and thus rpm doesn't know that it is installed.

You should be able install the rpm you build using the --nodeps
flag.  Alternately, you could just build an installp-style package.

 - todd
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list