Bug#368297: sudo-ldap failes when you change uri to ldaps
Date: Mon, 22 May 2006 08:08:19 +1000 From: Alexander Samad a...@samad.com.au - Body: On Sun, May 21, 2006 at 02:17:04PM -0500, Steve Langasek wrote: On Sun, May 21, 2006 at 07:25:38PM +1000, Alexander Samad wrote: Package: sudo-ldap Version: 1.6.8p12-4 Severity: grave Justification: renders package unusable I have setup sudo-ldap to use the local ldap db. My /etc/ldap/ldap.conf has uri ldap://127.0.0.1 when I change this to uri ldaps://hufpuf.lan1.hme1.samad.com.au it faills and I get with with debuging turned on LDAP Config Summary === uri ldaps://hufpuf.lan1.hme1.samad.com.au ldap_version 3 sudoers_base ou=SUDOers,dc=samad,dc=com,dc=au binddn (anonymous) bindpw (anonymous) ssl (no) === ldap_initialize(ld,ldaps://hufpuf.lan1.hme1.samad.com.au) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_simple_bind_s()=81 : Can't contact LDAP server Why do you say that this is a sudo-ldap bug? What tests have you done to verify that this isn't a network/firewall bug or a libldap bug? Hi I configure a working system to start with. The ldap server is on the same machine, there are no iptable entries. libnss-ldap and libpam-ldap work when I make the change from ldap://127.0.0.1 to ldaps://hufpuf.lan1.hme1.samad.com.au when I turn on logging from openldap I notice a connection being made and then I notice the connectect is closed, no bind is attempted. I can't rule out a libldap bug how can I test this ? when I use ldapsearch with anon ldaps:// it works, but it links against the 2.2 ldaplibraries. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vor...@debian.org http://www.debian.org/
Bug#368297: sudo-ldap failes when you change uri to ldaps
Package: sudo-ldap Version: 1.6.8p12-4 Severity: grave Justification: renders package unusable Hi I have setup sudo-ldap to use the local ldap db. My /etc/ldap/ldap.conf has uri ldap://127.0.0.1 when I change this to uri ldaps://hufpuf.lan1.hme1.samad.com.au it faills and I get with with debuging turned on LDAP Config Summary === uri ldaps://hufpuf.lan1.hme1.samad.com.au ldap_version 3 sudoers_base ou=SUDOers,dc=samad,dc=com,dc=au binddn (anonymous) bindpw (anonymous) ssl (no) === ldap_initialize(ld,ldaps://hufpuf.lan1.hme1.samad.com.au) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_simple_bind_s()=81 : Can't contact LDAP server -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.16-1-amd64-k8-smp Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Versions of packages sudo-ldap depends on: ii libc6 2.3.6-7GNU C Library: Shared libraries ii libldap2 2.1.30-13 OpenLDAP libraries ii libpam-modules0.79-3.1 Pluggable Authentication Modules f ii libpam0g 0.79-3.1 Pluggable Authentication Modules l sudo-ldap recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368297: sudo-ldap failes when you change uri to ldaps
On Sun, 2006-05-21 at 19:25 +1000, Alexander Samad wrote: when I change this to uri ldaps://hufpuf.lan1.hme1.samad.com.au it faills and I get with with debuging turned on I don't use LDAP personally, and didn't see anything immediately obvious on a quick perusal of the source. If you or anyone else watching have any idea why this is happening or how to fix it, feel free to chime in! Bdale -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368297: sudo-ldap failes when you change uri to ldaps
On Sun, May 21, 2006 at 07:25:38PM +1000, Alexander Samad wrote: Package: sudo-ldap Version: 1.6.8p12-4 Severity: grave Justification: renders package unusable I have setup sudo-ldap to use the local ldap db. My /etc/ldap/ldap.conf has uri ldap://127.0.0.1 when I change this to uri ldaps://hufpuf.lan1.hme1.samad.com.au it faills and I get with with debuging turned on LDAP Config Summary === uri ldaps://hufpuf.lan1.hme1.samad.com.au ldap_version 3 sudoers_base ou=SUDOers,dc=samad,dc=com,dc=au binddn (anonymous) bindpw (anonymous) ssl (no) === ldap_initialize(ld,ldaps://hufpuf.lan1.hme1.samad.com.au) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_simple_bind_s()=81 : Can't contact LDAP server Why do you say that this is a sudo-ldap bug? What tests have you done to verify that this isn't a network/firewall bug or a libldap bug? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368297: sudo-ldap failes when you change uri to ldaps
On Sun, May 21, 2006 at 02:17:04PM -0500, Steve Langasek wrote: On Sun, May 21, 2006 at 07:25:38PM +1000, Alexander Samad wrote: Package: sudo-ldap Version: 1.6.8p12-4 Severity: grave Justification: renders package unusable I have setup sudo-ldap to use the local ldap db. My /etc/ldap/ldap.conf has uri ldap://127.0.0.1 when I change this to uri ldaps://hufpuf.lan1.hme1.samad.com.au it faills and I get with with debuging turned on LDAP Config Summary === uri ldaps://hufpuf.lan1.hme1.samad.com.au ldap_version 3 sudoers_base ou=SUDOers,dc=samad,dc=com,dc=au binddn (anonymous) bindpw (anonymous) ssl (no) === ldap_initialize(ld,ldaps://hufpuf.lan1.hme1.samad.com.au) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_simple_bind_s()=81 : Can't contact LDAP server Why do you say that this is a sudo-ldap bug? What tests have you done to verify that this isn't a network/firewall bug or a libldap bug? Hi I configure a working system to start with. The ldap server is on the same machine, there are no iptable entries. libnss-ldap and libpam-ldap work when I make the change from ldap://127.0.0.1 to ldaps://hufpuf.lan1.hme1.samad.com.au when I turn on logging from openldap I notice a connection being made and then I notice the connectect is closed, no bind is attempted. I can't rule out a libldap bug how can I test this ? when I use ldapsearch with anon ldaps:// it works, but it links against the 2.2 ldaplibraries. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#368297: sudo-ldap failes when you change uri to ldaps
On Mon, May 22, 2006 at 08:08:19AM +1000, Alexander Samad wrote: it faills and I get with with debuging turned on LDAP Config Summary === uri ldaps://hufpuf.lan1.hme1.samad.com.au ldap_version 3 sudoers_base ou=SUDOers,dc=samad,dc=com,dc=au binddn (anonymous) bindpw (anonymous) ssl (no) === ldap_initialize(ld,ldaps://hufpuf.lan1.hme1.samad.com.au) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_simple_bind_s()=81 : Can't contact LDAP server Why do you say that this is a sudo-ldap bug? What tests have you done to verify that this isn't a network/firewall bug or a libldap bug? I configure a working system to start with. The ldap server is on the same machine, there are no iptable entries. libnss-ldap and libpam-ldap work when I make the change from ldap://127.0.0.1 to ldaps://hufpuf.lan1.hme1.samad.com.au when I turn on logging from openldap I notice a connection being made and then I notice the connectect is closed, no bind is attempted. I can't rule out a libldap bug how can I test this ? Well, it sounds to me like we can rule out a libldap problem based on this. What I do notice is that you have an ldaps uri in the debugging output, but it claims ssl is not enabled. Is /etc/ldap/ldap.conf identical to /etc/libnss-ldap.conf and /etc/libpam-ldap.conf? Does negotiating an SSL connection with this server require access to SSL certificates stored in files which may not be accessible to sudo prior to assuming root perms? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#368297: sudo-ldap failes when you change uri to ldaps
On Mon, May 22, 2006 at 11:21:53AM +1000, Alexander Samad wrote: On Sun, May 21, 2006 at 05:29:49PM -0700, Steve Langasek wrote: On Mon, May 22, 2006 at 08:08:19AM +1000, Alexander Samad wrote: it faills and I get with with debuging turned on LDAP Config Summary === uri ldaps://hufpuf.lan1.hme1.samad.com.au ldap_version 3 sudoers_base ou=SUDOers,dc=samad,dc=com,dc=au binddn (anonymous) bindpw (anonymous) ssl (no) === ldap_initialize(ld,ldaps://hufpuf.lan1.hme1.samad.com.au) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_simple_bind_s()=81 : Can't contact LDAP server Why do you say that this is a sudo-ldap bug? What tests have you done to verify that this isn't a network/firewall bug or a libldap bug? I configure a working system to start with. The ldap server is on the same machine, there are no iptable entries. libnss-ldap and libpam-ldap work when I make the change from ldap://127.0.0.1 to ldaps://hufpuf.lan1.hme1.samad.com.au when I turn on logging from openldap I notice a connection being made and then I notice the connectect is closed, no bind is attempted. I can't rule out a libldap bug how can I test this ? Well, it sounds to me like we can rule out a libldap problem based on this. What I do notice is that you have an ldaps uri in the debugging output, but it claims ssl is not enabled. Is /etc/ldap/ldap.conf identical to /etc/libnss-ldap.conf and /etc/libpam-ldap.conf? Does negotiating an SSL connection with this server require access to SSL certificates stored in files which may not be accessible to sudo prior to assuming root perms? I tried setting ssl=on in the /etc/ldap/ldap.conf file ( I downloaded the source and had a look at ldap.c) but that made no difference, but I did notice there was a section that was #ifdef out for ssl - it had another type of bind function call. When I changed the ssl=on the debug info was the same except that ssl (yes) was printed out instead of ssl (no) I have set it up so that client authentication is not need for ldaps. I have just tried doing this test. from another machine I used ldapsearch -v -H ldaps://hufpuf.lan1.hme1.samad.com.au uid=alex This failed with similiar results in the slapd log file as when sudo-ldap fails. What I noticed was that the connection from the second machine was actually using the ipv6 address to make the connection, but it would just hang for some reason ? although I could make a ldap://[ipv6] with no problem, not sure if this helps or confuses! -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#368297: sudo-ldap failes when you change uri to ldaps
On Mon, May 22, 2006 at 11:21:53AM +1000, Alexander Samad wrote: On Sun, May 21, 2006 at 05:29:49PM -0700, Steve Langasek wrote: I tried setting ssl=on in the /etc/ldap/ldap.conf file ( I downloaded the source and had a look at ldap.c) but that made no difference, but I did notice there was a section that was #ifdef out for ssl - it had another type of bind function call. When I changed the ssl=on the debug info was the same except that ssl (yes) was printed out instead of ssl (no) Ok. I have set it up so that client authentication is not need for ldaps. However, I believe that by default libldap requires access to a trusted copy of the *server* certificate in order to establish an ldaps connection. Is it possible that pam_ldap and nss_ldap have access to *this* certificate, while sudo-ldap does not? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#368297: sudo-ldap failes when you change uri to ldaps
On Sun, May 21, 2006 at 05:29:49PM -0700, Steve Langasek wrote: On Mon, May 22, 2006 at 08:08:19AM +1000, Alexander Samad wrote: it faills and I get with with debuging turned on LDAP Config Summary === uri ldaps://hufpuf.lan1.hme1.samad.com.au ldap_version 3 sudoers_base ou=SUDOers,dc=samad,dc=com,dc=au binddn (anonymous) bindpw (anonymous) ssl (no) === ldap_initialize(ld,ldaps://hufpuf.lan1.hme1.samad.com.au) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_simple_bind_s()=81 : Can't contact LDAP server Why do you say that this is a sudo-ldap bug? What tests have you done to verify that this isn't a network/firewall bug or a libldap bug? I configure a working system to start with. The ldap server is on the same machine, there are no iptable entries. libnss-ldap and libpam-ldap work when I make the change from ldap://127.0.0.1 to ldaps://hufpuf.lan1.hme1.samad.com.au when I turn on logging from openldap I notice a connection being made and then I notice the connectect is closed, no bind is attempted. I can't rule out a libldap bug how can I test this ? Well, it sounds to me like we can rule out a libldap problem based on this. What I do notice is that you have an ldaps uri in the debugging output, but it claims ssl is not enabled. Is /etc/ldap/ldap.conf identical to /etc/libnss-ldap.conf and /etc/libpam-ldap.conf? Does negotiating an SSL connection with this server require access to SSL certificates stored in files which may not be accessible to sudo prior to assuming root perms? I tried setting ssl=on in the /etc/ldap/ldap.conf file ( I downloaded the source and had a look at ldap.c) but that made no difference, but I did notice there was a section that was #ifdef out for ssl - it had another type of bind function call. When I changed the ssl=on the debug info was the same except that ssl (yes) was printed out instead of ssl (no) I have set it up so that client authentication is not need for ldaps. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#368297: sudo-ldap failes when you change uri to ldaps
On Sun, May 21, 2006 at 06:39:56PM -0700, Steve Langasek wrote: On Mon, May 22, 2006 at 11:21:53AM +1000, Alexander Samad wrote: On Sun, May 21, 2006 at 05:29:49PM -0700, Steve Langasek wrote: I tried setting ssl=on in the /etc/ldap/ldap.conf file ( I downloaded the source and had a look at ldap.c) but that made no difference, but I did notice there was a section that was #ifdef out for ssl - it had another type of bind function call. When I changed the ssl=on the debug info was the same except that ssl (yes) was printed out instead of ssl (no) Ok. I have set it up so that client authentication is not need for ldaps. However, I believe that by default libldap requires access to a trusted copy of the *server* certificate in order to establish an ldaps connection. Is it possible that pam_ldap and nss_ldap have access to *this* certificate, while sudo-ldap does not? just tested coped /etc/ssl/certs/ca-certificates.crt to /tmp and all the files in /etc/ssl/certs/ are readable -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]