Bug 957 – sudo ldap fails after upgrade from 1.8 to 1.9.5p2

Bug 957 - sudo ldap fails after upgrade from 1.8 to 1.9.5p2


Summary:	sudo ldap fails after upgrade from 1.8 to 1.9.5p2

Status:	RESOLVED WORKSFORME

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.9.5
Hardware:	IBM AIX

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-01-28 05:59 MST by mathews.dennis
Modified:	2022-10-24 09:41 MDT (History)
CC List:	0 users

See Also:

Attachments
sudo scripts mkpkg config.log (10.46 KB, application/octet-stream) 2021-01-28 06:41 MST, mathews.dennis	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mathews.dennis 2021-01-28 05:59:21 MST

Hi, we are struggling to get a working sudo ldap configuration after upgrading to 1.9.52. The previous working RPM was from the IBM linux toolbox, but since they haven't patched for CVE-2021-3156, we were hoping to use your pre-built rpm package.

sudo -V
Sudo version 1.9.5p2
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48
Sudoers I/O plugin version 1.9.5p2

rpm -qi sudo
Name        : sudo                         Relocations: (not relocateable)
Version     : 1.9.5                             Vendor: Todd C. Miller
Release     : 3                             Build Date: Sun 24 Jan 02:49:38 2021
Install date: Thu 28 Jan 23:06:55 2021      Build Host: aix61-p5.test.qas

I've tried a couple of ldap.conf variations, but they all fail to query LDAP (openLDAP)

Sample1 : /etc/ldap.conf
sudoers_base ou=sudo,dc=xxxxxx,dc=com,dc=au
base dc=xxxxx,dc=com,dc=au
sudoers_debug 0
uri ldaps://xxxxx.xxxxx.com.au ldaps://xxxxxx.xxxxx.com.au
binddn cn=xxxxxx,ou=admin,dc=xxxxx,dc=com,dc=au
bindpw xxxxxxxxxxxxxx
rootbinddn cn=xxxxx,ou=admin,dc=xxxxxx,dc=com,dc=au
tls_checkpeer yes
tls_cacertfile /etc/certs/xxxxx.pem
BIND_TIMELIMIT 5
SUDOERS_TIMED true

Sample 2: /etc/ldap.conf
sudoers_base ou=sudo,dc=xxxxx,dc=com,dc=au
base dc=xxxxx,dc=com,dc=au
sudoers_debug 0
uri ldaps://xxxxx.xxxxx.com.au ldaps://xxxxx.xxxxx.com.au
binddn cn=xxxxx,ou=admin,dc=xxxxx,dc=com,dc=au
bindpw xxxxxx
rootbinddn cn=xxxxx,ou=admin,dc=xxxxx,dc=com,dc=au
tls_checkpeer yes
tls_cacertfile /etc/certs/xxxxx.pem
tls_key /etc/certs/CA.kdb
tls_keypw xxxxx
BIND_TIMELIMIT 5
SUDOERS_TIMED true


Invoking sudo fails immediately with the following:
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts

sudo_debug doesn't log anything related to ldap as we'd normally expect.

Any suggestions/hints to where the problem might be is greatly appreciated.

Comment 1 Todd C. Miller 2021-01-28 06:08:11 MST

The AIX packages on sudo.ws don't contain support for sudoers in LDAP since AIX doesn't ship with LDAP libraries in the native configuration (that I know of).  I didn't realize that the IBM toolbox sudo rpm had LDAP enabled--I'l have to take at look and see whether they use OpenLDAP or IBM LDAP libraries.

In the meantime, if you have a working compiler installed you should be able to build your own sudo package from source by running:

./scripts/mkpkg --flavor=ldap --platform=rpm

at the top level of the source tree.

Comment 2 mathews.dennis 2021-01-28 06:41:15 MST

Created attachment 549 [details]
sudo scripts mkpkg config.log

Comment 3 mathews.dennis 2021-01-28 06:43:15 MST

Haven't had much luck with scripts/mkpkg unfortunately.

Yes the IBM toolbox offers 2 ldap enabled sudo rpms
sudo - which uses openldap libraries and
sudo_ids - uses native AIX libs

Comment 4 Todd C. Miller 2021-01-28 07:13:53 MST

Looks like your gcc is broken.

Comment 5 mathews.dennis 2021-01-29 01:42:53 MST

Ok, no problem. IBM toolbox have released updated rpms, so all good.
Thanks