- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- sudo tls openldap ds
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2016 12:03 PM
тАО04-07-2016 12:03 PM
I have not used these forums in a while. I miss the old days with hats. Anyway, maybe someone can help. I have setup openldap on Linux as a DS. I am replacing HP Directory Server. I have a HPUX host configured to authenticate against openldap using certs and tls. Now my issue is sudo. We have sudo in ldap and cannot access the SUDOers entries. I am running sudo from the internet express pack. Version A.18.00-1.7.9.001, since it is the only one that was compiled correctly with ldap. This is essentially what my ldap.conf looks like:
uri ldaps://server.domain.com:636/
bind_timelimit 30
timelimit 30
sudoers_base ou=SUDOers,dc=domain,dc=com
ssl start_tls
sudoers_debug 2
When I run sudo, I get this:
sudo: ldap_initialize(ld, ldaps://server.domain.com:636/)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
sudo: ldap_start_tls_s(): Can't contact LDAP server
sudo: no valid sudoers sources found, quitting
I am not finding any useful information on google. Not sure if any one already has a workfin config using tls. Real help would be appreciated.
Thanks,
Court
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2016 01:41 PM
тАО04-07-2016 01:41 PM
Re: sudo tls openldap ds
So far as I can recall, I've never fired an LDAP in anger, so I know
nothing, but:
> sudo: ldap_initialize(ld, ldaps://server.domain.com:636/)
> [...]
> sudo: ldap_start_tls_s(): Can't contact LDAP server
This is the kind of thing which I'd expect to see if no one at
"server.domain.com" is listening at port 636. (I'd expect more
interesting diagnostics if the client could contact the server, but
something less fundamental, like the "S" negotiation failed. But what
do I know?)
Assuming that the name resolution for "server.domain.com" works, my
first test would look something like:
telnet server.domain.com 636
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-08-2016 06:09 AM
тАО04-08-2016 06:09 AM
SolutionI resolved the problem. I had to compile sudo instead of using the ixSudo. HP has really gone downhill with keeping up with the ix software. I think the latest ixSudo is still A20, which was not compiled with ldap. For those who need the info, here you go.
Download the source from: http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.8.16/
You will also need LDAP-UX installed. Gunzip and extract the source. Go to the directory and do the following:
export CFLAGS="-D__10_10_compat_code" export LDFLAGS="-L/opt/ldapux/lib" ./configure --with-ldap=/opt/ldapux/ --with-pam
then make and make install. You should be able to copy the binary to your other servers.
Once I compiled it, it worked flawlessly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-08-2016 06:19 AM - last edited on тАО04-05-2021 01:47 AM by Parvez_Admin
тАО04-08-2016 06:19 AM - last edited on тАО04-05-2021 01:47 AM by Parvez_Admin
Re: sudo tls openldap ds
Almost forgot. I had to add these lines to ldap.conf:
tls_cert /etc/opt/ldapux tls_key /etc/opt/ldapux
Again, I am using certs. A little background here. I am using Mozilla NSS which uses the cert8.db and key3.db. My openldap config is a provider with two consumers. I can add each servers cert to the database, and the clients can communicate with all three hosts.
I should also mention that I used this site for reference:
[Admin: the above link is no longer valid]
If you are using the latest openldap 2.4, I do not beleive you have to mess witht he DUAConfig schema that is on the site. It's hard to know that since the packages, etc, for different distros seem to be a different. I use olc, and the package that is on OEL7.2 already has a duaconf.ldif. So no need to re-invent the wheel.