Bug 316

Summary: sudo command hangs 225sec before response if main Directory server stopped
Product: Sudo Reporter: myriam walter <mywalter>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: high CC: mywalter
Priority: high    
Version: 1.6.8   
Hardware: Sun   
OS: All   

Description myriam walter 2008-11-21 02:59:17 MST 
We have sudo 1.6.8p12 configure with ldap and pam 
We have 4 directory servers replicated and about 500 clients Solaris 8 -Solaris 10-Redhat 4.5 

If the first Directory Server fails , authentification ssh is correct but the response of sudo command arrived after 225seconds 
(45 retries of 5 secondes) time to contact the second Directory server 

If the slapd of the first Directory server is stopped , ssh authentification and sudo response are fine .

We try to set  different time limit parameter in ldap.conf but same problem 
Have you a solution ?

Tks 
Myriam WALTER
Comment 1 Todd C. Miller 2008-11-21 09:36:08 MST 
Please try the latest version of sudo, 1.6.9p18.  A number of LDAP fixes were made in the 1.6.9 releases.  You should also try setting the bind_timelimit and timelimit options in ldap.conf if you have not already done so.
Comment 2 myriam walter 2008-11-21 13:00:07 MST 
Hello

We tried to change  bind_timelimit and timelimit options in ldap.conf without success

We opened bugs at SUN support and Redhat support 
SUN told us to use a "load balancer " but we need to review our architecture 

We found this incident  http://www.nabble.com/client-timeout-td17762669.html - Seems to be resolved  with OPENLDAP 2.4

We tried to configure the new version sudo1.6.9p18 with  OPENLDAP 2.4 without success
./configure --with-audit=bsm --with-pam --with-ldap=/usr --sysconfdir=/usr/local/etc --with-ldap-conf-file=/usr/local/etc/ldap.conf 
....
BIO_set_flags                       /usr/local/lib/libldap.so
BIO_clear_flags                     /usr/local/lib/libldap.so
ber_set_option                      ldap.o  (symbol belongs to implicit dependency /usr/local/lib/liblber-2.4.so.2)
SSL_CTX_set_info_callback           /usr/local/lib/libldap.so
ld: fatal: Symbol referencing errors. No output written to sudo
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `sudo'


We decide to contact you to know if you have an idea to resolve this problem 

We have  "OPENLDAP 2.3.21"  on our Solaris customer and "openldap-clients-2.2.13-7.4E" on Redhat 
Is sudo1.6.9p18 compatible with our LDAP versions ? 
Are our configure options Ok?
I have a look on ldap.c in new sudo version and I see you have a lot of update with ldap.conf but I need to know if we can compile with Openldap2.3


Tks for help 
Myriam WALTER
Comment 3 Todd C. Miller 2008-11-21 15:40:51 MST 
You can try added -llber and -lssl to SUDO_LIBS in the Makefile and see if that resolves the issue.
Comment 4 myriam walter 2008-11-25 12:51:20 MST 
hell

We tested the last version and modify the ldap.conf time limit parameters 
it works well

Tks for help 
Myriam