Bugzilla – Bug 957
sudo ldap fails after upgrade from 1.8 to 1.9.5p2
Last modified: 2022-10-24 09:41:34 MDT
Hi, we are struggling to get a working sudo ldap configuration after upgrading to 1.9.52. The previous working RPM was from the IBM linux toolbox, but since they haven't patched for CVE-2021-3156, we were hoping to use your pre-built rpm package. sudo -V Sudo version 1.9.5p2 Sudoers policy plugin version 1.9.5p2 Sudoers file grammar version 48 Sudoers I/O plugin version 1.9.5p2 rpm -qi sudo Name : sudo Relocations: (not relocateable) Version : 1.9.5 Vendor: Todd C. Miller Release : 3 Build Date: Sun 24 Jan 02:49:38 2021 Install date: Thu 28 Jan 23:06:55 2021 Build Host: aix61-p5.test.qas I've tried a couple of ldap.conf variations, but they all fail to query LDAP (openLDAP) Sample1 : /etc/ldap.conf sudoers_base ou=sudo,dc=xxxxxx,dc=com,dc=au base dc=xxxxx,dc=com,dc=au sudoers_debug 0 uri ldaps://xxxxx.xxxxx.com.au ldaps://xxxxxx.xxxxx.com.au binddn cn=xxxxxx,ou=admin,dc=xxxxx,dc=com,dc=au bindpw xxxxxxxxxxxxxx rootbinddn cn=xxxxx,ou=admin,dc=xxxxxx,dc=com,dc=au tls_checkpeer yes tls_cacertfile /etc/certs/xxxxx.pem BIND_TIMELIMIT 5 SUDOERS_TIMED true Sample 2: /etc/ldap.conf sudoers_base ou=sudo,dc=xxxxx,dc=com,dc=au base dc=xxxxx,dc=com,dc=au sudoers_debug 0 uri ldaps://xxxxx.xxxxx.com.au ldaps://xxxxx.xxxxx.com.au binddn cn=xxxxx,ou=admin,dc=xxxxx,dc=com,dc=au bindpw xxxxxx rootbinddn cn=xxxxx,ou=admin,dc=xxxxx,dc=com,dc=au tls_checkpeer yes tls_cacertfile /etc/certs/xxxxx.pem tls_key /etc/certs/CA.kdb tls_keypw xxxxx BIND_TIMELIMIT 5 SUDOERS_TIMED true Invoking sudo fails immediately with the following: Sorry, try again. Sorry, try again. sudo: 3 incorrect password attempts sudo_debug doesn't log anything related to ldap as we'd normally expect. Any suggestions/hints to where the problem might be is greatly appreciated.
The AIX packages on sudo.ws don't contain support for sudoers in LDAP since AIX doesn't ship with LDAP libraries in the native configuration (that I know of). I didn't realize that the IBM toolbox sudo rpm had LDAP enabled--I'l have to take at look and see whether they use OpenLDAP or IBM LDAP libraries. In the meantime, if you have a working compiler installed you should be able to build your own sudo package from source by running: ./scripts/mkpkg --flavor=ldap --platform=rpm at the top level of the source tree.
Created attachment 549 [details] sudo scripts mkpkg config.log
Haven't had much luck with scripts/mkpkg unfortunately. Yes the IBM toolbox offers 2 ldap enabled sudo rpms sudo - which uses openldap libraries and sudo_ids - uses native AIX libs
Looks like your gcc is broken.
Ok, no problem. IBM toolbox have released updated rpms, so all good. Thanks