Bugzilla – Bug 499
sudo: nss_ldap: failed to bind to LDAP server
Last modified: 2011-06-15 19:11:55 MDT
On RHEL5.5, "sudo-1.7.2p1-9.el5_5", sudo fails to bind to ldap server when used. The problem appears that sudo only is reading /etc/ldap.conf looking for bindpw. It should also be checking /etc/ldap.secret for the bindpw.
sudo: nss_ldap: failed to bind to LDAP server ldap://myserver.mycompany.net: Server is unwilling to perform On the directory server the information that is logged says: [13/Jun/2011:19:42:55.728 -0700] BIND RESULT product="Directory Server" instanceName="myldapserver.mycompany.net" conn=20440 op=0 msgID=1 requesterIP="192.168.1.1" version="3" dn="cn=myserver.mycompany.net.*,nisMapName=netGroup.byhost,ou=theworld,ou=linux,ou=accounts,o=mycompany,c=us" authType="SIMPLE" resultCode=53 message="Unable to process the simple bind request because it contained a bind DN but no password, which is forbidden by the server configuration" etime=0.292 clientConnectionPolicy="default"
If you set rootbinddn in ldap.conf sudo will use /etc/ldap.secret for bindpw
rootbinddn is set in /etc/ldap.conf!! sudo 1.7.2p1 (RHEL5.5) is ignoring /etc/ldap.secret. I can confirm that is what is happening by adding bindpw back into /etc/ldap.conf and sudo then authenticates. However that then becomes a security problem since bindpw, binddn and rootbinddn are visible on the box.
$ strace -s 128 -e open sudo -u xyzz /bin/cat /var/log/secure open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib64/libselinux.so.1", O_RDONLY) = 3 open("/lib64/libcap.so.1", O_RDONLY) = 3 open("/lib64/libpam.so.0", O_RDONLY) = 3 open("/lib64/libdl.so.2", O_RDONLY) = 3 open("/usr/lib64/libldap-2.3.so.0", O_RDONLY) = 3 open("/lib64/libc.so.6", O_RDONLY) = 3 open("/lib64/libaudit.so.0", O_RDONLY) = 3 open("/usr/lib64/liblber-2.3.so.0", O_RDONLY) = 3 open("/lib64/libsepol.so.1", O_RDONLY) = 3 open("/lib64/libresolv.so.2", O_RDONLY) = 3 open("/usr/lib64/libsasl2.so.2", O_RDONLY) = 3 open("/lib64/libssl.so.6", O_RDONLY) = 3 open("/lib64/libcrypto.so.6", O_RDONLY) = 3 open("/lib64/libcrypt.so.1", O_RDONLY) = 3 open("/usr/lib64/libgssapi_krb5.so.2", O_RDONLY) = 3 open("/usr/lib64/libkrb5.so.3", O_RDONLY) = 3 open("/lib64/libcom_err.so.2", O_RDONLY) = 3 open("/usr/lib64/libk5crypto.so.3", O_RDONLY) = 3 open("/usr/lib64/libz.so.1", O_RDONLY) = 3 open("/usr/lib64/libkrb5support.so.0", O_RDONLY) = 3 open("/lib64/libkeyutils.so.1", O_RDONLY) = 3 open("/etc/selinux/config", O_RDONLY) = 3 open("/proc/mounts", O_RDONLY) = 3 open("/selinux/mls", O_RDONLY) = 3 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3 open("/etc/nsswitch.conf", O_RDONLY) = 3 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib64/libnss_files.so.2", O_RDONLY) = 3 open("/etc/passwd", O_RDONLY) = 3 open("/etc/group", O_RDONLY) = 4 open("/etc/localtime", O_RDONLY) = 5 open("/etc/nsswitch.conf", O_RDONLY) = 5 open("/etc/sudoers", O_RDONLY) = 5 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 6 open("/etc/netgroup", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 6 open("/lib64/libnss_ldap.so.2", O_RDONLY) = 6 open("/etc/ldap.conf", O_RDONLY) = 6 open("/etc/ldap.secret", O_RDONLY) = -1 EACCES (Permission denied) open("/etc/resolv.conf", O_RDONLY) = 6 open("/etc/host.conf", O_RDONLY) = 6 open("/etc/hosts", O_RDONLY) = 6 open("/etc/openldap/ldap.conf", O_RDONLY) = 6 open("/etc/hosts", O_RDONLY) = 6 open("/etc/hosts", O_RDONLY) = 6 open("/etc/ld.so.cache", O_RDONLY) = 6 open("/lib64/libnss_dns.so.2", O_RDONLY) = 6
I don't know why the open of /etc/ldap.secret would fail since it is opened as root. If you have SELinux enabled it is possible that the policy is preventing access to /etc/ldap.secret. You could try temporarily disabling SELinux and see if the behavior changes.
SELinux turned off and rebooted. sestatus used to verify it is disabled. $sestatus SELinux status: disabled Sudo test repeated - same problem $strace -s 128 -e open sudo -u xyzz /bin/cat /var/log/secure open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib64/libselinux.so.1", O_RDONLY) = 3 open("/lib64/libcap.so.1", O_RDONLY) = 3 open("/lib64/libpam.so.0", O_RDONLY) = 3 open("/lib64/libdl.so.2", O_RDONLY) = 3 open("/usr/lib64/libldap-2.3.so.0", O_RDONLY) = 3 open("/lib64/libc.so.6", O_RDONLY) = 3 open("/lib64/libaudit.so.0", O_RDONLY) = 3 open("/usr/lib64/liblber-2.3.so.0", O_RDONLY) = 3 open("/lib64/libsepol.so.1", O_RDONLY) = 3 open("/lib64/libresolv.so.2", O_RDONLY) = 3 open("/usr/lib64/libsasl2.so.2", O_RDONLY) = 3 open("/lib64/libssl.so.6", O_RDONLY) = 3 open("/lib64/libcrypto.so.6", O_RDONLY) = 3 open("/lib64/libcrypt.so.1", O_RDONLY) = 3 open("/usr/lib64/libgssapi_krb5.so.2", O_RDONLY) = 3 open("/usr/lib64/libkrb5.so.3", O_RDONLY) = 3 open("/lib64/libcom_err.so.2", O_RDONLY) = 3 open("/usr/lib64/libk5crypto.so.3", O_RDONLY) = 3 open("/usr/lib64/libz.so.1", O_RDONLY) = 3 open("/usr/lib64/libkrb5support.so.0", O_RDONLY) = 3 open("/lib64/libkeyutils.so.1", O_RDONLY) = 3 open("/etc/selinux/config", O_RDONLY) = 3 open("/proc/mounts", O_RDONLY) = 3 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3 open("/etc/nsswitch.conf", O_RDONLY) = 3 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib64/libnss_files.so.2", O_RDONLY) = 3 open("/etc/passwd", O_RDONLY) = 3 open("/etc/group", O_RDONLY) = 4 open("/etc/localtime", O_RDONLY) = 5 open("/etc/nsswitch.conf", O_RDONLY) = 5 open("/etc/sudoers", O_RDONLY) = 5 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 6 open("/etc/netgroup", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 6 open("/lib64/libnss_ldap.so.2", O_RDONLY) = 6 open("/etc/ldap.conf", O_RDONLY) = 6 open("/etc/ldap.secret", O_RDONLY) = -1 EACCES (Permission denied) open("/etc/resolv.conf", O_RDONLY) = 6 open("/etc/host.conf", O_RDONLY) = 6 open("/etc/hosts", O_RDONLY) = 6