On Sun, May 21, 2006 at 05:29:49PM -0700, Steve Langasek wrote:
> On Mon, May 22, 2006 at 08:08:19AM +1000, Alexander Samad wrote:
> > > > it faills and I get with with debuging turned on
> 
> > > > LDAP Config Summary
> > > > ===================
> > > > uri          ldaps://hufpuf.lan1.hme1.samad.com.au
> > > > ldap_version 3
> > > > sudoers_base ou=SUDOers,dc=samad,dc=com,dc=au
> > > > binddn       (anonymous)
> > > > bindpw       (anonymous)
> > > > ssl          (no)
> > > > ===================
> > > > ldap_initialize(ld,ldaps://hufpuf.lan1.hme1.samad.com.au)
> > > > ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> > > > ldap_simple_bind_s()=81 : Can't contact LDAP server
> 
> > > Why do you say that this is a sudo-ldap bug?  What tests have you done to
> > > verify that this isn't a network/firewall bug or a libldap bug?
> 
> > I configure a working system to start with.  The ldap server is on the
> > same machine, there are no iptable entries. libnss-ldap and libpam-ldap
> > work when I make the change from ldap://127.0.0.1 to
> > ldaps://hufpuf.lan1.hme1.samad.com.au
> 
> > when I turn on logging from openldap I notice a connection being made
> > and then I notice the connectect is closed, no bind is attempted.
> 
> > I can't rule out a libldap bug how can I test this ?
> 
> Well, it sounds to me like we can rule out a libldap problem based on this.
> 
> What I do notice is that you have an ldaps uri in the debugging output, but
> it claims "ssl" is not enabled.  Is /etc/ldap/ldap.conf identical to
> /etc/libnss-ldap.conf and /etc/libpam-ldap.conf?  Does negotiating an SSL
> connection with this server require access to SSL certificates stored in
> files which may not be accessible to sudo prior to assuming root perms?

I tried setting ssl=on in the /etc/ldap/ldap.conf file ( I downloaded
the source and had a look at ldap.c) but that made no difference, but I
did notice there was a section that was #ifdef out for ssl - it had
another type of bind function call.

When I changed the ssl=on the debug info was the same except that ssl
(yes) was printed out instead of ssl (no)

I have set it up so that client authentication is not need for ldaps.

> 
> -- 
> Steve Langasek                   Give me a lever long enough and a Free OS
> Debian Developer                   to set it on, and I can move the world.
> [EMAIL PROTECTED]                                   http://www.debian.org/


Attachment: signature.asc
Description: Digital signature

Reply via email to