On Mon, May 22, 2006 at 11:21:53AM +1000, Alexander Samad wrote: > On Sun, May 21, 2006 at 05:29:49PM -0700, Steve Langasek wrote: > > On Mon, May 22, 2006 at 08:08:19AM +1000, Alexander Samad wrote: > > > > > it faills and I get with with debuging turned on > > > > > > > LDAP Config Summary > > > > > =================== > > > > > uri ldaps://hufpuf.lan1.hme1.samad.com.au > > > > > ldap_version 3 > > > > > sudoers_base ou=SUDOers,dc=samad,dc=com,dc=au > > > > > binddn (anonymous) > > > > > bindpw (anonymous) > > > > > ssl (no) > > > > > =================== > > > > > ldap_initialize(ld,ldaps://hufpuf.lan1.hme1.samad.com.au) > > > > > ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) > > > > > ldap_simple_bind_s()=81 : Can't contact LDAP server > > > > > > Why do you say that this is a sudo-ldap bug? What tests have you done > > > > to > > > > verify that this isn't a network/firewall bug or a libldap bug? > > > > > I configure a working system to start with. The ldap server is on the > > > same machine, there are no iptable entries. libnss-ldap and libpam-ldap > > > work when I make the change from ldap://127.0.0.1 to > > > ldaps://hufpuf.lan1.hme1.samad.com.au > > > > > when I turn on logging from openldap I notice a connection being made > > > and then I notice the connectect is closed, no bind is attempted. > > > > > I can't rule out a libldap bug how can I test this ? > > > > Well, it sounds to me like we can rule out a libldap problem based on this. > > > > What I do notice is that you have an ldaps uri in the debugging output, but > > it claims "ssl" is not enabled. Is /etc/ldap/ldap.conf identical to > > /etc/libnss-ldap.conf and /etc/libpam-ldap.conf? Does negotiating an SSL > > connection with this server require access to SSL certificates stored in > > files which may not be accessible to sudo prior to assuming root perms? > > I tried setting ssl=on in the /etc/ldap/ldap.conf file ( I downloaded > the source and had a look at ldap.c) but that made no difference, but I > did notice there was a section that was #ifdef out for ssl - it had > another type of bind function call. > > When I changed the ssl=on the debug info was the same except that ssl > (yes) was printed out instead of ssl (no) > > I have set it up so that client authentication is not need for ldaps.
I have just tried doing this test. from another machine I used ldapsearch -v -H ldaps://hufpuf.lan1.hme1.samad.com.au uid=alex This failed with similiar results in the slapd log file as when sudo-ldap fails. What I noticed was that the connection from the second machine was actually using the ipv6 address to make the connection, but it would just hang for some reason ? although I could make a ldap://[ipv6] with no problem, not sure if this helps or confuses! > > > > > -- > > Steve Langasek Give me a lever long enough and a Free OS > > Debian Developer to set it on, and I can move the world. > > [EMAIL PROTECTED] http://www.debian.org/ > >
signature.asc
Description: Digital signature
