- Community Home
- >
- Servers and Operating Systems
- >
- Operating System - HP-UX
- >
- System Administration
- >
- sudo tls openldap ds
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-07-2016 12:03 PM
04-07-2016 12:03 PM
I have not used these forums in a while. I miss the old days with hats. Anyway, maybe someone can help. I have setup openldap on Linux as a DS. I am replacing HP Directory Server. I have a HPUX host configured to authenticate against openldap using certs and tls. Now my issue is sudo. We have sudo in ldap and cannot access the SUDOers entries. I am running sudo from the internet express pack. Version A.18.00-1.7.9.001, since it is the only one that was compiled correctly with ldap. This is essentially what my ldap.conf looks like:
uri ldaps://server.domain.com:636/
bind_timelimit 30
timelimit 30
sudoers_base ou=SUDOers,dc=domain,dc=com
ssl start_tls
sudoers_debug 2
When I run sudo, I get this:
sudo: ldap_initialize(ld, ldaps://server.domain.com:636/)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
sudo: ldap_start_tls_s(): Can't contact LDAP server
sudo: no valid sudoers sources found, quitting
I am not finding any useful information on google. Not sure if any one already has a workfin config using tls. Real help would be appreciated.
Thanks,
Court
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-07-2016 01:41 PM
04-07-2016 01:41 PM
Re: sudo tls openldap ds
So far as I can recall, I've never fired an LDAP in anger, so I know
nothing, but:
> sudo: ldap_initialize(ld, ldaps://server.domain.com:636/)
> [...]
> sudo: ldap_start_tls_s(): Can't contact LDAP server
This is the kind of thing which I'd expect to see if no one at
"server.domain.com" is listening at port 636. (I'd expect more
interesting diagnostics if the client could contact the server, but
something less fundamental, like the "S" negotiation failed. But what
do I know?)
Assuming that the name resolution for "server.domain.com" works, my
first test would look something like:
telnet server.domain.com 636
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-08-2016 06:09 AM
04-08-2016 06:09 AM
SolutionI resolved the problem. I had to compile sudo instead of using the ixSudo. HP has really gone downhill with keeping up with the ix software. I think the latest ixSudo is still A20, which was not compiled with ldap. For those who need the info, here you go.
Download the source from: http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.8.16/
You will also need LDAP-UX installed. Gunzip and extract the source. Go to the directory and do the following:
export CFLAGS="-D__10_10_compat_code" export LDFLAGS="-L/opt/ldapux/lib" ./configure --with-ldap=/opt/ldapux/ --with-pam
then make and make install. You should be able to copy the binary to your other servers.
Once I compiled it, it worked flawlessly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-08-2016 06:19 AM
04-08-2016 06:19 AM
Re: sudo tls openldap ds
Almost forgot. I had to add these lines to ldap.conf:
tls_cert /etc/opt/ldapux tls_key /etc/opt/ldapux
Again, I am using certs. A little background here. I am using Mozilla NSS which uses the cert8.db and key3.db. My openldap config is a provider with two consumers. I can add each servers cert to the database, and the clients can communicate with all three hosts.
I should also mention that I used this site for reference:
If you are using the latest openldap 2.4, I do not beleive you have to mess witht he DUAConfig schema that is on the site. It's hard to know that since the packages, etc, for different distros seem to be a different. I use olc, and the package that is on OEL7.2 already has a duaconf.ldif. So no need to re-invent the wheel.
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP