Bug 957

Summary: sudo ldap fails after upgrade from 1.8 to 1.9.5p2
Product: Sudo Reporter: mathews.dennis
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED WORKSFORME    
Severity: normal    
Priority: low    
Version: 1.9.5   
Hardware: IBM   
OS: AIX   
Attachments: sudo scripts mkpkg config.log

Description mathews.dennis 2021-01-28 05:59:21 MST 
Hi, we are struggling to get a working sudo ldap configuration after upgrading to 1.9.52. The previous working RPM was from the IBM linux toolbox, but since they haven't patched for CVE-2021-3156, we were hoping to use your pre-built rpm package.

sudo -V
Sudo version 1.9.5p2
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48
Sudoers I/O plugin version 1.9.5p2

rpm -qi sudo
Name        : sudo                         Relocations: (not relocateable)
Version     : 1.9.5                             Vendor: Todd C. Miller
Release     : 3                             Build Date: Sun 24 Jan 02:49:38 2021
Install date: Thu 28 Jan 23:06:55 2021      Build Host: aix61-p5.test.qas

I've tried a couple of ldap.conf variations, but they all fail to query LDAP (openLDAP)

Sample1 : /etc/ldap.conf
sudoers_base ou=sudo,dc=xxxxxx,dc=com,dc=au
base dc=xxxxx,dc=com,dc=au
sudoers_debug 0
uri ldaps://xxxxx.xxxxx.com.au ldaps://xxxxxx.xxxxx.com.au
binddn cn=xxxxxx,ou=admin,dc=xxxxx,dc=com,dc=au
bindpw xxxxxxxxxxxxxx
rootbinddn cn=xxxxx,ou=admin,dc=xxxxxx,dc=com,dc=au
tls_checkpeer yes
tls_cacertfile /etc/certs/xxxxx.pem
BIND_TIMELIMIT 5
SUDOERS_TIMED true

Sample 2: /etc/ldap.conf
sudoers_base ou=sudo,dc=xxxxx,dc=com,dc=au
base dc=xxxxx,dc=com,dc=au
sudoers_debug 0
uri ldaps://xxxxx.xxxxx.com.au ldaps://xxxxx.xxxxx.com.au
binddn cn=xxxxx,ou=admin,dc=xxxxx,dc=com,dc=au
bindpw xxxxxx
rootbinddn cn=xxxxx,ou=admin,dc=xxxxx,dc=com,dc=au
tls_checkpeer yes
tls_cacertfile /etc/certs/xxxxx.pem
tls_key /etc/certs/CA.kdb
tls_keypw xxxxx
BIND_TIMELIMIT 5
SUDOERS_TIMED true


Invoking sudo fails immediately with the following:
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts

sudo_debug doesn't log anything related to ldap as we'd normally expect.

Any suggestions/hints to where the problem might be is greatly appreciated.
Comment 1 Todd C. Miller 2021-01-28 06:08:11 MST 
The AIX packages on sudo.ws don't contain support for sudoers in LDAP since AIX doesn't ship with LDAP libraries in the native configuration (that I know of).  I didn't realize that the IBM toolbox sudo rpm had LDAP enabled--I'l have to take at look and see whether they use OpenLDAP or IBM LDAP libraries.

In the meantime, if you have a working compiler installed you should be able to build your own sudo package from source by running:

./scripts/mkpkg --flavor=ldap --platform=rpm

at the top level of the source tree.
Comment 2 mathews.dennis 2021-01-28 06:41:15 MST 
Created attachment 549 [details]
sudo scripts mkpkg config.log
Comment 3 mathews.dennis 2021-01-28 06:43:15 MST 
Haven't had much luck with scripts/mkpkg unfortunately.

Yes the IBM toolbox offers 2 ldap enabled sudo rpms
sudo - which uses openldap libraries and
sudo_ids - uses native AIX libs
Comment 4 Todd C. Miller 2021-01-28 07:13:53 MST 
Looks like your gcc is broken.
Comment 5 mathews.dennis 2021-01-29 01:42:53 MST 
Ok, no problem. IBM toolbox have released updated rpms, so all good.
Thanks