From ab9e6404617e2c787db4e3a1074f7f4421099f82 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 22 May 2012 16:27:34 -0400 Subject: [PATCH] Add entry for SSL LDAP errors on Mozilla SDKs when the cert dir is not specified. --HG-- branch : 1.7 --- TROUBLESHOOTING | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/TROUBLESHOOTING b/TROUBLESHOOTING index 05accb6a2..3e339b2d4 100644 --- a/TROUBLESHOOTING +++ b/TROUBLESHOOTING @@ -67,7 +67,7 @@ A) Make sure you have an entry in your syslog.conf file to save its conf file. Also, remember that syslogd does *not* create log files, you need to create the file before syslogd will log to it (ie: touch /var/log/sudo). - Note: the facility (e.g. "auth.debug") must be separated from the + Note: the facility (e.g. "auth.debug") must be separated from the destination (e.g. "/var/log/auth" or "@loghost") by tabs, *not* spaces. This is a common error. @@ -223,6 +223,26 @@ A) ssh does not allocate a tty by default when running a remote command. Alternately, if you do not mind your password being echoed to the screen, you can use the "visiblepw" sudoers option to allow this. +Q) When I try to use SSL-enabled LDAP with sudo I get an error: + unable to initialize SSL cert and key db: security library: bad database. + you must set TLS_CERT in /etc/ldap.conf to use SSL +A) On systems that use a Mozilla-derived LDAP SDK there must be a + certificate database in place to use SSL-encrypted LDAP connections. + This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db. + The actual number after "cert" will vary, depending on the version + of the LDAP SDK that is being used. If you do not have a certificate + database you can either copy one from a mozilla-derived browser, such + as firefox, or create one using the "certutil" command. You can run + "certutil" as follows and press the (or ) key at the + password prompt: + # certutil -N -d /var/ldap + Enter a password which will be used to encrypt your keys. + The password should be at least 8 characters long, + and should contain at least one non-alphabetic character. + + Enter new password: + Re-enter password: + Q) When I run sudo on AIX I get the following error: sudo: unable to change to sudoers gid: Operation not permitted. A) AIX's Enhanced RBAC is preventing sudo from running. To fix -- 2.40.0