LDAP Client not connecting to LDAP server

solaris_1977 · January 18, 2017, 7:03pm

I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful.
The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working for any user. I did restart service with "svcadm restart svc:/network/ldap/client:default" but no luck.

[ greog@sms-prod-sim2:/ ]
$ /usr/local/bin/sudo su -
sudo: ldap_sasl_bind_s(): Can't contact LDAP server
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
[ greog@sms-prod-sim2:/ ]

From /var/adm/messages --

Jan 19 00:16:50 sms-prod-sim2 ldap_cachemgr[9663]: [ID 293258 daemon.error] libsldap: Status: 1  Mesg: Can't connect to the LDAP server
Jan 19 00:16:50 sms-prod-sim2 ldap_cachemgr[9663]: [ID 293258 daemon.error] libsldap: Status: 1  Mesg: Timed out
Jan 19 00:17:01 sms-prod-sim2 ldap_cachemgr[9663]: [ID 293258 daemon.warning] libsldap: Status: 91  Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
Jan 19 00:17:01 sms-prod-sim2 ldap_cachemgr[9663]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to ngsic-pre-ppt.com
Jan 19 00:17:01 sms-prod-sim2 ldap_cachemgr[9663]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to ngsic-pre-ppt.com
Jan 19 00:17:01 sms-prod-sim2 ldap_cachemgr[9663]: [ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple bind failed - Can't connect to the LDAP server

jlliagre · January 18, 2017, 7:23pm

"sudo" cannot contact the LDAP server it is supposed to. That's quite clear. I'm not sure restarting the ldap client service will affect this sudo implementation. You need to find the non standard sudo configuration file, "sudo.ldap" or similar, maybe under /etc/local and see what is declared here.

solaris_1977 · January 18, 2017, 7:37pm

There is /usr/local/etc/sudoers but there is NO entry in there. Its sudoers configuration is being picked from LDAP server. So I am assuming, if this client is able to reach to LDAP server, issue should be fixed.

jlliagre · January 18, 2017, 8:50pm

Sure, there is no sudoers file. That's the whole point of centralizing it on a directory server.

You need to find the file where sudo configuration is stored. This is not the sudoers file which contains sudo policy configuration but the sudo front-end one, likely sudo.conf.

Anyway, is there a directory server running on ngsic-pre-ppt.com?

solaris_1977 · January 18, 2017, 9:48pm

"find / -name *sudo*" didn't gave any relevent location.
Yes, ngsic-pre-ppt.com is directory server

jlliagre · January 18, 2017, 10:11pm

Should be:

find / -name "*sudo*"

or directly

strings /usr/local/bin/sudo | grep "^/"

So the issue might be wrong credentials. You should have a look to the directory server logs and see if there is a bind failure from your sudo host.

solaris_1977 · January 18, 2017, 10:20pm

I will check on LDAP server side.
On problematic server, here is output

# find / -name "*sudo*"
/var/sadm/pkg/OEsudo
/var/sadm/pkg/OEsudo/save/pspool/OEsudo
/shared/OEsudo-1.8.4p1_s10_x86.pkg
/usr/sfw/share/zsh/4.2.1/functions/Completion/Unix/_sudo
/usr/local/bin/sudo
/usr/local/bin/sudoedit
/usr/local/bin/sudoreplay
/usr/local/include/sudo_plugin.h
/usr/local/share/man/man4/sudoers.ldap.4
/usr/local/share/man/man4/sudoers.4
/usr/local/share/man/man1m/visudo.1m
/usr/local/share/man/man1m/sudo.1m
/usr/local/share/man/man1m/sudoreplay.1m
/usr/local/share/man/man1m/sudoedit.1m
/usr/local/share/man/man1m/sudo_plugin.1m
/usr/local/share/doc/sudo
/usr/local/share/doc/sudo/sudoers2ldif
/usr/local/share/doc/sudo/sample.sudo.conf
/usr/local/share/doc/sudo/sample.sudoers
/usr/local/etc/sudoers
/usr/local/etc/sudoers.example
/usr/local/etc/sudoers-pre.lecture
/usr/local/etc/sudoers-iot.inc
/usr/local/etc/sudoers-iot.lecture
/usr/local/etc/sudoers.d
/usr/local/etc/sudoers-pre.inc
/usr/local/etc/sudoers-prod.lecture
/usr/local/etc/sudoers-prod.inc
/usr/local/libexec/sudo_noexec.so
/usr/local/libexec/sudoers.so
/usr/local/var/lib/sudo
/usr/local/sbin/visudo
/export/home/sdegraw/sudorout
/export/home/vpalani/sudo
[ root@sms-prod-sim2:/ ]
# strings /usr/local/bin/sudo | grep "^/"
[ root@sms-prod-sim2:/ ]

jlliagre · January 18, 2017, 11:03pm

Double check the strings command output, I wasn't expecting an empty output.

Make sure you are logged in as root.

Try grep / instead of grep "^/"

There is a sample sudo configuration file here : /usr/local/share/doc/sudo/sample.sudo.conf

You are using a custom or at least unknown sudo package OEsudo. You should try to find its documentation. It might have been built with custom, hardcoded settings.

solaris_1977 · January 18, 2017, 11:26pm

You are right. Looks like, it is using this package. I am checking more on this, but strings is not giving output with / and "/" too

# cat /usr/local/share/doc/sudo/sample.sudo.conf | grep -v "#"
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so

# strings /usr/local/bin/sudo | grep /
#
# strings /usr/local/bin/sudo | grep "/"
#
# pkginfo -l OEsudo
   PKGINST:  OEsudo
      NAME:  sudo with ldap support
  CATEGORY:  application
      ARCH:  x86
   VERSION:  1.8.4p1+local
   BASEDIR:  /usr/local
    PSTAMP:  build-x86-prod20120224110716
  INSTDATE:  Sep 08 2012 09:23
    STATUS:  completely installed
     FILES:       47 installed pathnames
                   8 shared pathnames
                   2 linked files
                  15 directories
                   6 executables
                   1 setuid/setgid executables
                4511 blocks used (approx)
#

jlliagre · January 20, 2017, 8:45am

That's quite strange, what says:

s=/usr/local/bin/sudo
ls -l $s
file $s
ldd $s