On Sun, May 21, 2006 at 05:29:49PM -0700, Steve Langasek wrote: > On Mon, May 22, 2006 at 08:08:19AM +1000, Alexander Samad wrote: > > > > it faills and I get with with debuging turned on > > > > > LDAP Config Summary > > > > =================== > > > > uri ldaps://hufpuf.lan1.hme1.samad.com.au > > > > ldap_version 3 > > > > sudoers_base ou=SUDOers,dc=samad,dc=com,dc=au > > > > binddn (anonymous) > > > > bindpw (anonymous) > > > > ssl (no) > > > > =================== > > > > ldap_initialize(ld,ldaps://hufpuf.lan1.hme1.samad.com.au) > > > > ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) > > > > ldap_simple_bind_s()=81 : Can't contact LDAP server > > > > Why do you say that this is a sudo-ldap bug? What tests have you done to > > > verify that this isn't a network/firewall bug or a libldap bug? > > > I configure a working system to start with. The ldap server is on the > > same machine, there are no iptable entries. libnss-ldap and libpam-ldap > > work when I make the change from ldap://127.0.0.1 to > > ldaps://hufpuf.lan1.hme1.samad.com.au > > > when I turn on logging from openldap I notice a connection being made > > and then I notice the connectect is closed, no bind is attempted. > > > I can't rule out a libldap bug how can I test this ? > > Well, it sounds to me like we can rule out a libldap problem based on this. > > What I do notice is that you have an ldaps uri in the debugging output, but > it claims "ssl" is not enabled. Is /etc/ldap/ldap.conf identical to > /etc/libnss-ldap.conf and /etc/libpam-ldap.conf? Does negotiating an SSL > connection with this server require access to SSL certificates stored in > files which may not be accessible to sudo prior to assuming root perms?
I tried setting ssl=on in the /etc/ldap/ldap.conf file ( I downloaded the source and had a look at ldap.c) but that made no difference, but I did notice there was a section that was #ifdef out for ssl - it had another type of bind function call. When I changed the ssl=on the debug info was the same except that ssl (yes) was printed out instead of ssl (no) I have set it up so that client authentication is not need for ldaps. > > -- > Steve Langasek Give me a lever long enough and a Free OS > Debian Developer to set it on, and I can move the world. > [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature