Bug 943

Summary: sudo unable to initialize LDAP SSL initialization call failed
Product: Sudo Reporter: mathews.dennis
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: mathews.dennis
Priority: normal    
Version: 1.9.2   
Hardware: IBM   
OS: AIX   

Description mathews.dennis 2020-10-28 06:22:46 MDT 
On AIX7.1 with LDAP authentication working correctly, sudo fails to initialize SSL.

Configure options: --exec-prefix=/usr --prefix=/usr --with-tty tickets --with-umask=0077 --with-ignore-dot --with -logging=both --with-noexec --without-pam --with-aixauth --with-ldap=/opt/IBM/ldap/V6.3
                          
sudo: LDAP Config Summary                                                                                        sudo: ===================                                                                                        sudo: uri              ldaps://xxxxxx.com ldaps://xxxxx.com                                                                                                  sudo: ldap_version     3                                                                                         sudo: sudoers_base     ou=sudo,dc=xxxx,dc=xxxx,dc=xxxx                                                           sudo: search_filter    (objectClass=sudoRole)                                                                    sudo: netgroup_base (NONE: will use nsswitch)                                                                    sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn           cn=aixsudo,ou=admin,dc=xxxx,dc=xxxx,dc=au
sudo: bindpw           xxxxxxxxxxxxxx
sudo: bind_timelimit   15
sudo: ssl              (no)
sudo: tls_checkpeer    (yes)
sudo: tls_keyfile      /etc/certs/xxxxx.pem                                                                      sudo: ===================                                                                                        sudo: ldap_ssl_client_init(): SSL initialization call failed (SSL reason code 408)                               
sudo: unable to initialize LDAP: SSL initialization call failed                                                 
Sudoers policy plugin version 1.9.2                                                                             
Sudoers file grammar version 48                                                                                                                                                                                                  
Sudoers path: /etc/sudoers
ldap.conf path: /etc/ldap.conf                                                                                  
ldap.secret path: /etc/ldap.secret                                                                            
Authentication methods: 'aixauth'
Comment 1 Todd C. Miller 2020-10-28 08:49:30 MDT 
Error 408 is LDAP_SSL_EXTENDED_ERROR_BAD_KEYFILE_PASSWORD.  For IBM (Tivoli) LDAP the key file needs to be a kdb file, not a pem format file.  I haven't tried using IBM LDAP in a while but you should be able to use the gsk8capicmd_64 command to create a kdb file.  IBM has some documentation on configuring LDAP for SSL/TLS which may be helpful.
Comment 2 mathews.dennis 2020-10-28 13:33:28 MDT 
That fixed it. Thanks!
I set tls_key to a kdb file along with tls_keypw containing the password to decrypt the key database and problem solved!