Summary: | app-admin/sudo-1.6.8p9 only talks to ldap port 389 without SSL | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | khb354102 |
Component: | Current packages | Assignee: | Andrea Barisani (RETIRED) <lcars> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | lu_zero, taviso |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
khb354102
2005-09-15 13:09:24 UTC
Forgot to mention version of sudo. It's 1.6.8p9. Works fine here with the following conf: uri ldap://ldap.example.com ssl start_tls (plus tls_* cert definition) you are getting this error: ldap_start_tls_s(): -11: Connect error so tls is being attempted, I think it's not a problem with sudo but rather with your ldap setup, are you using the proper certs/server side settings? can you do a ldapsearch with tls without problems? see if it changes with sudo-1.6.8_p9-r2 closing as INVALID for now, but I'm waiting further comments from you. I can do an ldapsearch just fine with ldap://<server> ssl start_tls (in /etc/ldap.conf) Should I use TLS_REQCERT never ? ldapsearch doesn't use /etc/ldap.conf, it uses /etc/openldap/ldap.conf so that's not a reliable test. You should replicate the same settings in /etc/ldap.conf for libldap and then do a ldapsearch forcing tls. Also I don't know if you are demanding tls server side (which is a good thing) man ldap.conf will show libldap ldap.conf settings, remember that cert and key must be specified in .ldaprc and cannot be set globally in /etc/openldap/ldap.conf. This is definetly not a sudo issue imho. Please mail me directly and send me both your ldap.conf (and ldap.conf.sudo), I might be able to help you debugging your ldap problems. Bye |