Bugzilla – Bug 330
Support TLS (and SSL) against IBM's LDAP library
Last modified: 2009-03-09 06:23:44 MDT
Created attachment 239 [details] Example that uses TLS/SSL on IBM Ldap libraries It seems that IBM (and maybe other commercial unix vendors) have decided to implement SSL/StartTLS differently in their client-ldap libraries. The SSL/TLS capabilities are not detected/used by sudo 1.7 Example api-docs: http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.glpa100/start_tls_s_np.htm I'm currently using sudo without any SSL/TLS, but it would be very nice if the SSL/TLS capabilities could be used. I do use these for the OS-native pam_ldap and ldapsearch etc.
http://people.apache.org/~covener/apr-tivoli-ssl.diff This is a diff on Apache that seems to do the same... will need some work to get it to work with sudo
Thanks for the pointers. It shouldn't be too hard to get this working for 1.7.1.
Created attachment 242 [details] Badly hacked patch (sorry, no unified diff) to get start_tls working on idsldap libs Patch is on ldap.c from 1.7.0 Didn't include a configure rule to check for ldap_start_tls_s_np
Seems to work (and I'm seeing ssf=256 in my ldap server logs ;) ssl start_tls =================== sudo: ldap_init(ldapserver, 389) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_start_tls_s_np() ok sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=SUDOers,dc=example,dc=com
I've applied a modified version of your patch. Can you give the following a try? ftp://ftp.sudo.ws/pub/millert/sudo/sudo-1.7.1b0.tar.gz
Doesn't seem to work (yet) with 1.7.1b0 ssl start_tls =================== sudo: ldap_init(hostname1, hostname2, 389) sudo: ldap_set_option: ldap_version -> 3 sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np() sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=tld
Seems that HAVE_LDAP_START_TLS_S_NP isn't detected yet. When I manually set it in config.h I get: gcc -o sudo gram.o alias.o alloc.o defaults.o error.o list.o match.o toke.o redblack.o zero_bytes.o sudo_auth.o aix_auth.o aix.o ldap.o audit.o check.o env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o glob.o fnmatch.o memrchr.o strlcpy.o strlcat.o closefrom.o snprintf.o getprogname.o -Wl,-bI:./aixcrypt.exp -L/opt/IBM/ldap/V6.1/lib -Wl,-blibpath:/usr/lib:/lib:/usr/local/lib:/opt/IBM/ldap/V6.1/lib -ls -lldap ld: 0711-317 ERROR: Undefined symbol: .ldapssl_err2string ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. collect2: ld returned 8 exit status make: 1254-004 The error code from the last command is 1.
Just re-creating 'configure' seems to have solved that issue
I've fixed those problems, please give this a spin: ftp://ftp.sudo.ws/pub/millert/sudo/sudo-1.7.1b1.tar.gz
I've confirmed that TLS works on 1.7.1b2