Bug 330

Summary: Support TLS (and SSL) against IBM's LDAP library
Product: Sudo Reporter: Mark Janssen <maniac-sudo>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: normal    
Version: 1.7.0   
Hardware: IBM   
OS: AIX   
Attachments: Example that uses TLS/SSL on IBM Ldap libraries
Badly hacked patch (sorry, no unified diff) to get start_tls working on idsldap libs

Description Mark Janssen 2009-01-30 11:36:18 MST 
Created attachment 239 [details]
Example that uses TLS/SSL on IBM Ldap libraries

It seems that IBM (and maybe other commercial unix vendors) have decided to implement SSL/StartTLS differently in their client-ldap libraries.

The SSL/TLS capabilities are not detected/used by sudo 1.7

Example api-docs:
http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.glpa100/start_tls_s_np.htm

I'm currently using sudo without any SSL/TLS, but it would be very nice if the SSL/TLS capabilities could be used. I do use these for the OS-native pam_ldap and ldapsearch etc.
Comment 1 Mark Janssen 2009-01-30 11:42:00 MST 
http://people.apache.org/~covener/apr-tivoli-ssl.diff

This is a diff on Apache that seems to do the same... will need some work to get it to work with sudo
Comment 2 Todd C. Miller 2009-01-30 12:10:53 MST 
Thanks for the pointers.  It shouldn't be too hard to get this working for 1.7.1.
Comment 3 Mark Janssen 2009-02-20 10:53:42 MST 
Created attachment 242 [details]
Badly hacked patch (sorry, no unified diff) to get start_tls working on idsldap libs

Patch is on ldap.c from 1.7.0

Didn't include a configure rule to check for ldap_start_tls_s_np
Comment 4 Mark Janssen 2009-02-20 10:56:13 MST 
Seems to work (and I'm seeing ssf=256 in my ldap server logs ;)

ssl              start_tls
===================
sudo: ldap_init(ldapserver, 389)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s_np() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=example,dc=com
Comment 5 Todd C. Miller 2009-03-01 16:23:55 MST 
I've applied a modified version of your patch.  Can you give the following a try?

ftp://ftp.sudo.ws/pub/millert/sudo/sudo-1.7.1b0.tar.gz
Comment 6 Mark Janssen 2009-03-02 03:35:37 MST 
Doesn't seem to work (yet) with 1.7.1b0

ssl              start_tls
===================
sudo: ldap_init(hostname1, hostname2, 389)
sudo: ldap_set_option: ldap_version -> 3
sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=tld
Comment 7 Mark Janssen 2009-03-02 03:44:36 MST 
Seems that HAVE_LDAP_START_TLS_S_NP isn't detected yet. When I manually set it in config.h I get:

        gcc -o sudo gram.o alias.o alloc.o defaults.o error.o list.o match.o  toke.o redblack.o zero_bytes.o sudo_auth.o aix_auth.o  aix.o ldap.o audit.o check.o env.o  getspwuid.o gettime.o goodpath.o fileops.o find_path.o  interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o  sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o glob.o fnmatch.o memrchr.o strlcpy.o strlcat.o closefrom.o snprintf.o getprogname.o -Wl,-bI:./aixcrypt.exp -L/opt/IBM/ldap/V6.1/lib -Wl,-blibpath:/usr/lib:/lib:/usr/local/lib:/opt/IBM/ldap/V6.1/lib  -ls  -lldap    
ld: 0711-317 ERROR: Undefined symbol: .ldapssl_err2string
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
collect2: ld returned 8 exit status
make: 1254-004 The error code from the last command is 1.
Comment 8 Mark Janssen 2009-03-02 04:52:55 MST 
Just re-creating 'configure' seems to have solved that issue
Comment 9 Todd C. Miller 2009-03-02 08:08:01 MST 
I've fixed those problems, please give this a spin:
ftp://ftp.sudo.ws/pub/millert/sudo/sudo-1.7.1b1.tar.gz
Comment 10 Mark Janssen 2009-03-09 06:23:44 MDT 
I've confirmed that TLS works on 1.7.1b2