Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 106098

Summary: app-admin/sudo-1.6.8p9 only talks to ldap port 389 without SSL
Product: Gentoo Linux Reporter: khb354102
Component: Current packagesAssignee: Andrea Barisani (RETIRED) <lcars>
Status: RESOLVED INVALID    
Severity: normal CC: lu_zero, taviso
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description khb354102 2005-09-15 13:09:24 UTC 
LDAP-enabled sudo only seems to know how to contact the LDAP server when using
ldap://host. I cannot use ldaps://host (for secure communications), or, use
ldap://host and add "ssl start_tls" to /etc/ldap.conf.

In both cases, sudo fails to connect to the ldap server.

Scenario 1:

  ldaps://<server> in /etc/ldap.conf:

$ sudo /bin/bash
LDAP Config Summary
===================
uri          ldaps://<server>/
ldap_version 3
sudoers_base ou=sudoers,dc=example,dc=org
binddn       (anonymous)
bindpw       (anonymous)
ssl          (no)
===================
ldap_initialize(ld,ldaps://<server>/)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
ldap_simple_bind_s()=-1 : Can't contact LDAP server

Scenario 2:
ldap://<server> and start_tls

$ sudo /bin/bash
LDAP Config Summary
===================
uri          ldap://<server>/
ldap_version 3
sudoers_base ou=sudoers,dc=example,dc=org
binddn       (anonymous)
bindpw       (anonymous)
ssl          start_tls
===================
ldap_initialize(ld,ldap://<server>/)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
ldap_start_tls_s(): -11: Connect error

Scenario 3:
ldap://server and no start_tls

WORKS!

Reproducible: Always
Steps to Reproduce:
(See Details above)
Actual Results:  
(See Details)

Expected Results:  
Should have connected successfully to the LDAP server.

Portage 2.0.51.22-r2 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r1,
2.6.11-gentoo-r11 i686)
=================================================================
System uname: 2.6.11-gentoo-r11 i686 Intel(R) Pentium(R) 4 CPU 2.26GHz
Gentoo Base System version 1.6.13
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
dev-lang/python:     2.3.5-r2
sys-apps/sandbox:    1.2.10
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O3 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium4 -O3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distcc distlocks sandbox sfperms strict"
GENTOO_MIRRORS="ftp://gentoo.mirrors.pair.com/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
USE="x86 alsa apache2 apm avi berkdb bitmap-fonts cdr crypt cups dvd eds emboss
encode foomaticdb fortran freetds gdbm gif gpm gstreamer imap imlib ipv6 java
jpeg ldap libg++ libwww mad mikmod motif mp3 mpeg mysql ncurses nls ogg
oggvorbis opengl oss pam pdflib perl png python quicktime readline samba scanner
sdl slang spell ssl tcpd tiff truetype truetype-fonts type1-fonts vorbis xml
xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
Comment 1 khb354102 2005-09-15 13:10:54 UTC 
Forgot to mention version of sudo.

It's 1.6.8p9.
Comment 2 Andrea Barisani (RETIRED) gentoo-dev 2005-09-16 00:50:25 UTC 
Works fine here with the following conf:

uri   ldap://ldap.example.com
ssl   start_tls

(plus tls_* cert definition)

you are getting this error: ldap_start_tls_s(): -11: Connect error

so tls is being attempted, I think it's not a problem with sudo but rather with
your ldap setup, are you using the proper certs/server side settings?

can you do a ldapsearch with tls without problems?
see if it changes with sudo-1.6.8_p9-r2

closing as INVALID for now, but I'm waiting further comments from you.
Comment 3 khb354102 2005-09-16 06:04:30 UTC 
I can do an ldapsearch just fine with 

ldap://<server>
ssl start_tls

(in /etc/ldap.conf)

Should I use TLS_REQCERT never ?
Comment 4 Andrea Barisani (RETIRED) gentoo-dev 2005-09-16 06:08:40 UTC 
ldapsearch doesn't use /etc/ldap.conf, it uses /etc/openldap/ldap.conf so that's
not a reliable test.

You should replicate the same settings in /etc/ldap.conf for libldap and then do
a ldapsearch forcing tls. Also I don't know if you are demanding tls server side
(which is a good thing)

man ldap.conf will show libldap ldap.conf settings, remember that cert and key
must be specified in .ldaprc and cannot be set globally in /etc/openldap/ldap.conf.

This is definetly not a sudo issue imho. Please mail me directly and send me
both your ldap.conf (and ldap.conf.sudo), I might be able to help you debugging
your ldap problems.

Bye