Bug 416 – sudo with ldap fails when tls_checkpeer is set to yes

Bug 416 - sudo with ldap fails when tls_checkpeer is set to yes


Summary:	sudo with ldap fails when tls_checkpeer is set to yes

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.2
Hardware:	PC Linux

Importance:	low high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2010-07-08 07:46 MDT by Raymond Doetjes
Modified:	2010-07-08 09:06 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Raymond Doetjes 2010-07-08 07:46:49 MDT

Sudo when configured in combination with ldap will fail with an error:
sudo: ldap_sasl_bind_s(): Can't contact LDAP server

When in ldap.conf tlc_checkpeer is set to yes (with valid cacert!)

Here is the ldap.conf
---
base ou=Identities,ou=Resources,o=ING
uri ldaps://idmediriv.ins.hu.intranet/
ldap_version 3
binddn CN=10_83_193_34 - idmdev,OU=Hosts,OU=UNIX,OU=Services,O=ING
bindpw *********
bind_policy soft
scope sub
timelimit 5
bind_timelimit 5
pam_login_attribute uid
pam_member_attribute gid
pam_password nds
pam_filter objectclass=posixAccount
pam_groupdn CN=10_83_193_34 - idmdev,OU=Hosts,OU=UNIX,OU=Services,O=ING
pam_member_attribute member

nss_reconnect_tries 2
nss_base_group ou=Groups,ou=Unix,ou=Services,o=ING
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group

nss_map_attribute gecos displayname
nss_map_attribute uniqueMember member

ssl yes
TLS_CACERT /etc/openldap/cacerts/security_vault.cer
tls_checkpeer yes
referrals no
deref always

sudoers_base ou=SudoRoles,ou=Unix,ou=Services,o=ing
---

DTRACE eDirectory:
In the trace on the ldap server the following error appears:
 error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca - SSL alert number 48

OPENSSL OUTPUT:
openssl s_client -host idmediriv -port 636  -CAfile /etc/openldap/cacerts/security_vault.cer
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 21709E06DFFEE95F7FB484C61F39A9D97AFDF0F3C4EE98858036128E4A3588B2
    Session-ID-ctx:
    Master-Key: B6CAF1F56A37A8AD0243A471648658F385DF584730E18FEA9D9B9F185EFA5DC782F1DD59F78E1043B4FA53476230BED4
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1278589410
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
When the tls_checkpeer is set to "no" it does work again (like the old version of sudo 1.6.9p17 we used to use). We are required to enforce cacert checking.

Comment 1 Todd C. Miller 2010-07-08 08:32:35 MDT

Sudo expects TLS_CACERTFILE but you have TLS_CACERT in ldap.conf.  It looks like this is an oversight and sudo should also accept TLS_CACERT.

Comment 2 Raymond Doetjes 2010-07-08 08:45:35 MDT

Dear Todd,

ldap.conf indeed has some things that are actually configurable with different parameters or values. This is very annoying indeed.

However, your remark did actually solve our problem, we changed TLS_CACERT to TLS_CACERTFILE and both pam_ldap and sudo work perfectly that way.

To us this issue is closed.

Comment 3 Todd C. Miller 2010-07-08 09:06:59 MDT

Unfortunately, the settings in ldap.conf vary from client to client.  I've aliased TLS_CACERT to TLS_CACERTFILE in the sudo 1.7 branch and in trunk.