Bug 458067

Fedora 8 sudo-1.6.9p4-2.fc8.x86_64.rpm installed on RHEL5.2 - sudo works with pam LDAP

We use LDAP for authentication but sudo just reads /etc/sudoers (i.e.,
sudo configuration is local and not on ldap).

Users can log in without problem using ldap.

When a user tries to use sudo, sudo waits and waits unable to connect
to the LDAP server.

Aug 21 11:24:08 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:08 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:08 **** sudo: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Aug 21 11:24:12 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:12 **** sudo: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Aug 21 11:24:20 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:20 **** sudo: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Aug 21 11:24:25 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:25 **** sudo: nss_ldap: could not search LDAP server - Server is unavailable
Aug 21 11:24:36 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:36 **** sudo: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Aug 21 11:24:56 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:24:56 **** sudo: nss_ldap: could not search LDAP server - Server is unavailable
Aug 21 11:25:08 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:25:08 **** sudo: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Aug 21 11:26:12 **** sudo: nss_ldap: failed to bind to LDAP server ldaps://****: Can't contact LDAP server
Aug 21 11:26:12 **** sudo: nss_ldap: could not search LDAP server - Server is unavailable

The failed server (ldaps://**** here) is the correct one from
/etc/ldap.conf that works (since it is used for authentication).

Compiling rebuilding sudo withou --with-ldap is a workaround if LDAP
is not needed.

Matteo,

You are missing a point here. Read again and carefully my attached description of the problem, resolution and conclusions.

Compiling without --with-ldap only circumvents a bug that exists in sudo-1.6.8p12-12.el5 package.

Compiling latest sudo-1.6.9p17.tar.gz using all the same switches (extracted from RHEL source RPM spec file) that RHEL5 is using in their sudo-1.6.8p12-12.el5 package, including --with-ldap, produces properly working binaries. So that is a proof right there that there is a bug in RHEL version that does not exist in latest generic version.

We are not storing sudoers on LDAP server. We use /etc/sudoers local to the client host.

We do not use generic LDAP authentication, the one that uses /etc/ldap.conf
We use pam LDAP module for reasons very specific to our organization.

I did not check the spec file from Fedora 8 sudo-1.6.9p4-2.fc8.x86_64.rpm but I suspect it is not different from RHEL5 one. It is just newer source base used that seems to have this bug fixed already and it works fine on RHEL5 system.

Dear Greg,

yes this is more or less what I wanted to say :-)

I just wanted to post the /var/log/messages entries relevant to the problem.

I could try to compile sudo-1.6.9p17.tar.gz as you did applying the same patches RH applies to see if one of them is the problem (you tried the same configuration options and they worked so they should not be the problem).

Matteo

I rebuilt the very same RPM using 1.6.9p17 and the following changes:

 * Added BuildRequires: openldap-devel (not relevant but was missing :-)
 * Removed (no more necessary):
     sudo-1.6.8p8-pam-sess.patch
     sudo-1.6.8p12-pam-login.patch
     sudo-1.6.8p12-ipv6.patch
     sudo-1.6.8p12-audit.patch
 * Removed
     sudo-1.6.8p12-s390.patch
   this one could not be applied and I didn't really look at it so it
   might be necessary to check

The new build works with all the RH configuration patches and --with-ldap

If you want to test it:

http://yum.id.ethz.ch/yum/redhat/el5/i386/ethz/RPMS/sudo-1.6.9p17-1.i386.rpm
http://yum.id.ethz.ch/yum/redhat/el5/i386/ethz/SRPMS/sudo-1.6.9p17-1.src.rpm

Matteo

I forgot: the problem can be reproduced on i386 too (our case). So the platform 'x86_64' of the bug should be updated (-> any).

Matteo,

Thanks for all the ground work. We have obvious conclusion here. Time for RHEL to act on this bug. I hope at least 5.3 will address that. An updated working rpm before 5.3 is out would be nice.

My solution for now is Fedora rpm as it works for me. But it is one off that I would rather avoid hence RHEL fixed rpm would be nice.

I am also trying to change "Platform" qualifier for this bug to "All"

/gs

*** This bug has been marked as a duplicate of bug 447408 ***

If I try to see what this bug duplicates (#447408) I get an access denied error:

You are not authorized to access bug #447408.

Does this mean that a security issue is involved? In this case it would be nice to see a statement and at least what is happening with the bug ... (priority, status, ...).

Or it's simply a bug?

Matteo

Hi, I'm sorry there is access denied.

#447408 is just the same request with issue tracked score. #447408 went thru the whole process of evaluation if the package should be rebased or not. The rebase was allowed, so engineering and QA group work on it. If everything works as expected, updated sudo package will be available in next update.