[sudo-users] LDAP and TLS certificates
Daniele Palumbo
daniele at retaggio.net
Thu Sep 27 15:47:30 MDT 2018
David,
Any particular reason for which you would not use sssd?
My 2 cents,
Daniele
Il 26 settembre 2018 14:57:20 CEST, David Magda <dmagda at ee.ryerson.ca> ha scritto:
>On Wed, September 26, 2018 08:38, Todd C. Miller wrote:
>> On Tue, 25 Sep 2018 11:15:06 -0400, "David Magda" wrote:
>>
>>> On my Debian 8 ("jessie") system, I had the following in
>>> /etc/sudo-ldap.conf (which is a link to /etc/ldap/ldap.conf):
>>>
>>> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
>>> TLS_REQCERT never
>>> URI ldap://some.IP/
>>>
>>> I then changed the "ldap://" to "ldaps://" and got the following
>output
>>> (debug level 2):
>>>
>>> sudo: ldap_sasl_bind_s(): Can't contact LDAP server
>>
>> ldaps:// will connect to port 636 which your ldap server may not
>> be configured to use.
>
>Yup, obvious difference, but I checked that with s_client(1) to make
>sure.
>
>[...]
>
>> The sudo ldap.conf settings are similar to those used by nss_ldap
>> and pam_ldap. Unfortunately, different LDAP libraries use different
>> configuration setting names so these don't always match.
>
>I've noticed that. Things have probably "grown" over time as opposed to
>been "designed" from the start, so I'm sure only the surface has been
>scratched regarding inconsistencies between programs. :)
>
>> Yes, sudo should be able to support that. I'll add it to the list
>> for 1.8.27.
>
>Cool. Won't help with current packages, but hopefully going forward it
>will make things easier and less confusing.
>
>Thanks for the quick response.
>
>Regards,
>David
>
>____________________________________________________________
>sudo-users mailing list <sudo-users at sudo.ws>
>For list information, options, or to unsubscribe, visit:
>https://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list