[sudo-users] LDAP and TLS certificates
David Magda
dmagda at ee.ryerson.ca
Wed Sep 26 06:57:20 MDT 2018
On Wed, September 26, 2018 08:38, Todd C. Miller wrote:
> On Tue, 25 Sep 2018 11:15:06 -0400, "David Magda" wrote:
>
>> On my Debian 8 ("jessie") system, I had the following in
>> /etc/sudo-ldap.conf (which is a link to /etc/ldap/ldap.conf):
>>
>> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
>> TLS_REQCERT never
>> URI ldap://some.IP/
>>
>> I then changed the "ldap://" to "ldaps://" and got the following output
>> (debug level 2):
>>
>> sudo: ldap_sasl_bind_s(): Can't contact LDAP server
>
> ldaps:// will connect to port 636 which your ldap server may not
> be configured to use.
Yup, obvious difference, but I checked that with s_client(1) to make sure.
[...]
> The sudo ldap.conf settings are similar to those used by nss_ldap
> and pam_ldap. Unfortunately, different LDAP libraries use different
> configuration setting names so these don't always match.
I've noticed that. Things have probably "grown" over time as opposed to
been "designed" from the start, so I'm sure only the surface has been
scratched regarding inconsistencies between programs. :)
> Yes, sudo should be able to support that. I'll add it to the list
> for 1.8.27.
Cool. Won't help with current packages, but hopefully going forward it
will make things easier and less confusing.
Thanks for the quick response.
Regards,
David
More information about the sudo-users
mailing list