[sudo-users] sudo-1.8.13 libibmldap.a dependency error

Robert Sabo Sipos Robert.Sabo_Sipos at telus.com
Fri May 22 15:14:07 MDT 2015

That was it! Thanks for catching the typo in the bindpw statement - next time I'll make sure to have my morning coffee *before* posting :) Turns out AIX likes binpwd in ldap.cfg, while /etc/sudo-ldap.conf needs bindpw.

As for encryption, it appears the AIX ldap.cfg bindpwd encryption (as well as ldapsslkeypwd for that matter) defaults to crypt (DESv2), although parameter pwdalgorithm can be set to "system" in which case it could use a different, system-wide, password algorithm defined in login.cfg (for example SHA-512). That said it does not appear that the LDAP libraries decrypt this for sudo automagically - now that I have it working with a plain text password I tried copying the DES2 encrypted one from ldap.cfg to /etc/sudo-ldap.conf and got " ldap_sasl_bind_s(): Invalid credentials"

But with owner being root and permissions being 600 this should be good enough for my needs.

Thanks again for all the help Todd, much appreciated!


-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: May 22, 2015 01:34 PM
To: Robert Sabo Sipos
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] sudo-1.8.13 libibmldap.a dependency error

On Fri, 22 May 2015 11:07:48 -0600, Robert Sabo Sipos wrote:

> My next challenge is configuring /etc/sudo-ldap.conf correctly. In our LDAP
> implementation only encrypted traffic on port 636 is allowed (port 389 is
> blocked on the firewalls) and binding to LDAP servers is through a specific
> user (proxyuser) and password. Additionally our cert kdb file is protected
> with a password as well.
> I created /etc/sudo-ldap.conf manually and have the following in it
> (sanitized):
> binddn cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
> bindpwd <proxyuser cleartext password>

This should be "bindpw" not "bindpwd"

> tls_key </path/to/our.kdb>
> tls_keypw <cleartext password for our.kdb>
> tls_checker no
> uri ldaps://ldap-west.company.com:636 ldaps://ldap-east.company.com:636
> sudoers_base ou=SUDOers,ou=internal,o=company
> bind_timelimit 30
> timelimit 30
> sudoers_debug 2

> However I am getting "ldap_sasl_bind_s(): Inappropriate authentication":
> # sudo -V | grep ldap
> sudo: LDAP Config Summary
> sudo: ===================
> sudo: uri              ldaps://ldap-west.company.com:636
> ldaps://ldap-east.company.com:636
> sudo: ldap_version     3
> sudo: sudoers_base     ou=SUDOers,ou=internal,o=company
> sudo: search_filter    (objectClass=sudoRole)
> sudo: netgroup_base (NONE: will use nsswitch)
> sudo: netgroup_search_filter (objectClass=nisNetgroup)
> sudo: binddn
> cn=proxyuser,ou=people,ou=systems,ou=internal,o=company
> sudo: bindpw           (anonymous)
> sudo: bind_timelimit   30
> sudo: timelimit        30
> sudo: ssl              (no)
> sudo: tls_keyfile      /path/to/our.kdb
> sudo: ===================
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: timelimit -> 30
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
> sudo: ldap_sasl_bind_s(): Inappropriate authentication
> Configure options: --prefix=/opt/freeware --mandir=/opt/freeware/man
> --with-insults=disabled --with-logging=syslog --with-logfac=auth
> --with-editor=/usr/bin/vi --with-env-editor --enable-zlib=builtin
> --disable-nls --with-sendmail=/usr/sbin/sendmail --with-aixauth
> --with-ldap=/opt/IBM/ldap/V6.3 --with-ldap-conf-file=/etc/sudo-ldap.conf
> --with-ignore-dot
> ldap.conf path: /etc/sudo-ldap.conf
> ldap.secret path: /etc/ldap.secret
> I notice bindpw states (anonymous) which is not what I'd expect to
> see, so I'm likely missing something in the configuration. I currently
> have bindpwd and tls_keypw in cleartext in /etc/sudo-ldap.conf, can
> they be specified in the same encrypted format as in
> /etc/security/ldap/ldap.cfg?

Currently the only supported format for BINDPW are plain text and
base64.  I'm not sure how the ldap.cfg bindpwd encryption works on
AIX and whether or not sudo would have to decrypt it or if the LDAP
libraries would do it for us.

> Also does /etc/sudo-ldap.conf need specific file ownership and permissions?
> It is currently set to root:system with 600 permissions.

That should be fine.

 - todd

More information about the sudo-users mailing list