I am having a problem with sudo when I am running in a TSL/SSL connection, I am able to ssh into the client and verified that the connection is secure, but once logged in to the client machine I am unable to use sudo. I am seeing multiple re-tries in the access logs that appear to close,: When I do the same thing without a TLS/SSL connection sudo works fine. Here is what I am seeing in the log 31/Jul/2007:15:48:18 -0500] conn=607 fd=74 slot=74 connection from <ipaddr> to <ipaddr> [31/Jul/2007:15:48:18 -0500] conn=607 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [31/Jul/2007:15:48:18 -0500] conn=607 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [31/Jul/2007:15:48:18 -0500] conn=607 SSL 256-bit AES [31/Jul/2007:15:48:18 -0500] conn=607 op=1 UNBIND [31/Jul/2007:15:48:18 -0500] conn=607 op=1 fd=74 closed - U1 and eventually, I get sudo: uid 1000 does not exist in the passwd file! for the user config, it is simple, the user exists in ldap, the group exists on the box (wheel) and I give the user in ldap a gid of 10 -bash-3.1$ id uid=1000(testuser) gid=10(wheel) groups=10(wheel) Thoughts? Greg
Josh Kelley
2007-Aug-01 15:07 UTC
Re: [Fedora-directory-users] Sudo over tls/ssl connection
On 7/31/07, Greg Hetrick <greg.hetrick@gmail.com> wrote:> I am having a problem with sudo when I am running in a TSL/SSL connection, I > am able to ssh into the client and verified that the connection is secure, > but once logged in to the client machine I am unable to use sudo. > > I am seeing multiple re-tries in the access logs that appear to close,: > > When I do the same thing without a TLS/SSL connection sudo works fine. > > and eventually, I get > > sudo: uid 1000 does not exist in the passwd file!Based on the symptoms and logs, this sounds more like a client problem than a problem with FDS. What OS / distro are you running? What does your /etc/ldap.conf look like? Recent versions of Fedora, for example, are fairly strict in how /etc/ldap.conf is configured. The following configuration works for me, although it could probably be improved: uri ldaps://ldap1.example.com/ ldaps://ldap2.example.com/ ssl on tls_cacertfile /etc/pki/tls/certs/ca-localauthority.crt host ldap1.example.com ldap2.example.com Josh Kelley
Greg Hetrick
2007-Aug-01 19:31 UTC
Re: [Fedora-directory-users] Sudo over tls/ssl connection
This client is RHEL 5 -- I tried various different configs including the one you paste below. What I did find out eventually, is that sudo on rhel 5 is compiled with libldap support, this was not the case in rhel 4.5 -- so I recompiled and re-installed the rpm to exclude libldap support and it now it works fine. Thanks, Greg On 8/1/07, Josh Kelley <joshkel@gmail.com> wrote:> > On 7/31/07, Greg Hetrick <greg.hetrick@gmail.com> wrote: > > I am having a problem with sudo when I am running in a TSL/SSL > connection, I > > am able to ssh into the client and verified that the connection is > secure, > > but once logged in to the client machine I am unable to use sudo. > > > > I am seeing multiple re-tries in the access logs that appear to close,: > > > > When I do the same thing without a TLS/SSL connection sudo works fine. > > > > and eventually, I get > > > > sudo: uid 1000 does not exist in the passwd file! > > Based on the symptoms and logs, this sounds more like a client problem > than a problem with FDS. What OS / distro are you running? What does > your /etc/ldap.conf look like? Recent versions of Fedora, for > example, are fairly strict in how /etc/ldap.conf is configured. The > following configuration works for me, although it could probably be > improved: > > uri ldaps://ldap1.example.com/ ldaps://ldap2.example.com/ > ssl on > tls_cacertfile /etc/pki/tls/certs/ca-localauthority.crt > host ldap1.example.com ldap2.example.com > > Josh Kelley > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >