#949519 sudo-ldap: Fails to connect to LDAP : "ldap_sasl_bind_s(): Can't contact LDAP server"

Package:
sudo-ldap
Source:
sudo
Description:
Provide limited super user privileges (with LDAP support)
Submitter:
jC Guillain
Date:
2022-07-14 17:21:03 UTC
Severity:
normal
Tags:
#949519#5
Date:
2020-01-21 15:54:43 UTC
From:
To:
jc@server1:~$ sudo -l
sudo: LDAP Config Summary
sudo: ===================
sudo: uri              ldaps://server2.mydomain.com/ ldaps://server3.mydomain.com/
sudo: ldap_version     3
sudo: sudoers_base     ou=SUDOers,dc=mydomain,dc=com
sudo: search_filter    (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn           (anonymous)
sudo: bindpw           (anonymous)
sudo: ssl              (no)
sudo: tls_reqcert    allow
sudo: tls_cacertfile   /etc/ldap/certificates/cacert.pem
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ldap/certificates/cacert.pem
sudo: ldap_set_option: tls_cacert -> /etc/ldap/certificates/cacert.pem
sudo: ldap_initialize(ld, ldaps://server2.mydomain.com/ ldaps://server3.mydomain.com/)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option(LDAP_OPT_TIMEOUT, 500)
sudo: ldap_sasl_bind_s(): Can't contact LDAP server
[sudo] password for jc:
Sorry, user jc may not run sudo on server1.


The same configuration works on a Strecth client.
#949519#10
Date:
2020-01-21 16:39:12 UTC
From:
To:
Sorry, it looks like I forget to paste the presentation of my issue on reportbug.

I used to use sudo-ldap on Stretch to grant some rights to some users on my servers.
I recently upgrade one of these servers to Buster, and now sudo doesn't work anymore.
It's always the same error : "ldap_sasl_bind_s(): Can't contact LDAP server".

Which is interesting is that ldapsearch works when I try something like this :
ldapsearch -x -H ldaps://server2.mydomain.com:636 -b "ou=SUDOers,dc=mydomain,dc=com"

Also ldap.conf and sudo-ldap.conf are identical.
#949519#15
Date:
2020-01-22 14:39:16 UTC
From:
To:
Just for information, I just run a test on a Bullseye VM with sudo-ldap 1.8.29-1 and the issue is still present in this version.
#949519#22
Date:
2020-07-23 22:48:55 UTC
From:
To:
tags 949519 + help
thanks

I do not currently have the facilities or the motivation to try and
debug LDAP issues in sudo.  Happy to merge a patch if someone else
figures out what's going wrong here.

Bdale
#949519#29
Date:
2021-02-20 19:29:05 UTC
From:
To:
Jean-Christophe, are you still interested in figuring this out?  If so
you need to provide more information.  You also don't say what else
you have tried to investigate this.

I tried reproducing your observed behaviour, but it doesn't manifest
here unless I put "TLS_REQCERT allow" into my normal user's ~/.ldaprc
file (which is not a bug, but a misconfiguration).

"ldap_sasl_bind_s(): Can't contact LDAP server" is really just a
generic TLS error which could have a million different causes.  Some
ideas what could be going on:

* The certificates may have been generated with outdated TLS
  parameters or the server is running outdated configuration options.
  I recall that during the move to buster OpenSSL changed its default
  settings for what versions of TLS it still allows (TLS_CIPHER_SUITE,
  TLS_PROTOCOL_MIN).  Give us the output of:

  openssl s_client -debug -connect server2.mydomain.com:636 -verify 255 </dev/null

  Altering the server config to always use at least TLSv1.2 might
  already help.  Regenerating the server certificates is worth a try,
  too.

* You run "ldapsearch" under the effective user id of "jc", but "sudo"
  runs under the effective user id of "root".  If you have a file
  ~jc/.ldaprc with different TLS settings this could explain why the
  "ldapsearch" command succeeds, but "sudo -l" fails.  What happens if
  you run "ldapsearch" under a freshly created user?  Please run "sudo
  -l" as root and tell us if the error still occurs.  If it does then
  as root run this command and give us /tmp/sudo-l-strace.gz

  strace -f -s 2048 sudo -l |& gzip -9c > /tmp/sudo-l-strace.gz

  Also to turn off any initialization mechanisms run your ldapsearch
  commands like this:

  LDAPNOINIT=1 ldapsearch -x -H ...

  Tell us if this changes anything.

Until you can give us something that clearly points to the code of
sudo-ldap doing something it shouldn't we have to assume that this is
due to a misconfiguration.


Regards,
Dennis.
#949519#40
Date:
2021-12-11 07:57:28 UTC
From:
To:
I intend to close this bug by the end of February 2022 if we don't get
more information.

Greetings
Marc
#949519#43
Date:
2021-12-11 07:57:28 UTC
From:
To:
I intend to close this bug by the end of February 2022 if we don't get
more information.

Greetings
Marc
#949519#48
Date:
2022-02-01 09:24:57 UTC
From:
To:
packsge sudo-ldap
severity #949519 normal
outlook #949519 close after 2022-02-28
thanks

Lowering severity as this seems to affect just a few users.

Greetings
Marc
#949519#55
Date:
2022-02-01 09:24:57 UTC
From:
To:
packsge sudo-ldap
severity #949519 normal
outlook #949519 close after 2022-02-28
thanks

Lowering severity as this seems to affect just a few users.

Greetings
Marc