Solved: sudo tls openldap ds

feeble · ‎04-07-2016

I have not used these forums in a while. I miss the old days with hats. Anyway, maybe someone can help. I have setup openldap on Linux as a DS. I am replacing HP Directory Server. I have a HPUX host configured to authenticate against openldap using certs and tls. Now my issue is sudo. We have sudo in ldap and cannot access the SUDOers entries. I am running sudo from the internet express pack. Version A.18.00-1.7.9.001, since it is the only one that was compiled correctly with ldap. This is essentially what my ldap.conf looks like:

uri ldaps://server.domain.com:636/
bind_timelimit 30
timelimit 30
sudoers_base ou=SUDOers,dc=domain,dc=com
ssl start_tls
sudoers_debug 2

When I run sudo, I get this:

sudo: ldap_initialize(ld, ldaps://server.domain.com:636/)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
sudo: ldap_start_tls_s(): Can't contact LDAP server
sudo: no valid sudoers sources found, quitting

I am not finding any useful information on google. Not sure if any one already has a workfin config using tls. Real help would be appreciated.

Thanks,

Court

Steven Schweda · ‎04-07-2016

So far as I can recall, I've never fired an LDAP in anger, so I know
nothing, but:

> sudo: ldap_initialize(ld, ldaps://server.domain.com:636/)
> [...]
> sudo: ldap_start_tls_s(): Can't contact LDAP server

This is the kind of thing which I'd expect to see if no one at
"server.domain.com" is listening at port 636. (I'd expect more
interesting diagnostics if the client could contact the server, but
something less fundamental, like the "S" negotiation failed. But what
do I know?)

Assuming that the name resolution for "server.domain.com" works, my
first test would look something like:

telnet server.domain.com 636

feeble · ‎04-08-2016

I resolved the problem. I had to compile sudo instead of using the ixSudo. HP has really gone downhill with keeping up with the ix software. I think the latest ixSudo is still A20, which was not compiled with ldap. For those who need the info, here you go.

Download the source from: http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.8.16/

You will also need LDAP-UX installed. Gunzip and extract the source. Go to the directory and do the following:

export CFLAGS="-D__10_10_compat_code"
export LDFLAGS="-L/opt/ldapux/lib"
./configure --with-ldap=/opt/ldapux/ --with-pam

then make and make install. You should be able to copy the binary to your other servers.

Once I compiled it, it worked flawlessly.

feeble · ‎04-08-2016

Almost forgot. I had to add these lines to ldap.conf:

tls_cert /etc/opt/ldapux
tls_key /etc/opt/ldapux

Again, I am using certs. A little background here. I am using Mozilla NSS which uses the cert8.db and key3.db. My openldap config is a provider with two consumers. I can add each servers cert to the database, and the clients can communicate with all three hosts.

I should also mention that I used this site for reference:

https://itsecureadmin.com/wiki/index.php?title=Configure_HPUX_11.11_to_authenticate_against_OpenLDAP&oldid=2049

If you are using the latest openldap 2.4, I do not beleive you have to mess witht he DUAConfig schema that is on the site. It's hard to know that since the packages, etc, for different distros seem to be a different. I use olc, and the package that is on OEL7.2 already has a duaconf.ldif. So no need to re-invent the wheel.

sudo tls openldap ds

sudo tls openldap ds

Re: sudo tls openldap ds

Re: sudo tls openldap ds

Re: sudo tls openldap ds

Hewlett Packard Enterprise International