Originally posted by: M.R. Willemse

Ladies and Gentlemen,

I am trying to make a new AIX 7.1 image that will come out of the NIM server as Ansible-capable. I recently found the Yum Bundle on the IBM website, so I decided to use that since it includes Python. It's nice to see Yum being added to AIX, because we do lots of things with RPMs, mostly on Linux, and it will be nice to have AIX play along in the configuration management euphoria.

Ansible requires some way of getting root access, so I decided to yum install sudo. It dragged in openldap for dependencies, because sudo can get its information from LDAP these days. And here is the crux of the problem.

I use LDAP for user authentication against an openldap server, using idsldap.clt32bit62.rte. It delivers a link to a link to a link named /usr/lib/libldap.a. Sudo's sudoers.so doesn't like it:

$ sudo
sudo: error in /etc/sudo.conf, line 0 while loading plugin `sudoers_policy'
sudo: unable to load /opt/freeware/libexec/sudo/sudoers.so: Could not load module /opt/freeware/libexec/sudo/sudoers.so.
        Dependent module /usr/lib/libldap.a(libldap-2.4.so.2) could not be loaded.
        File /usr/lib/libldap.a is not an
          archive or the file could not be read properly.
System error: Exec format error
Could not load module /opt/freeware/libexec/sudo/sudoers.so.
        Dependent module /opt/freeware/libexec/sudo/sudoers.so could not be loaded.
sudo: fatal error, unable to load plugins

The libldap.a that sudoers.so wants, is actually in /opt/freeware/lib. I have tested this by temporarily renaming /usr/lib/libldap.a. Sudo works when I do, but I obviously can't leave it like that because then nobody can log in anymore. Oh, and if I set LIBPATH to /opt/freeware/lib, it gets overridden by Sudo, because you can't have Sudo just loading anyone's libraries. There is only one user that does work for: root.

The bigger picture here is that I assume many Linux Toolbox libraries will already be provided as a part of AIX, and the Linux Toolbox software won't like them for being insufficiently like Linux. Is it possible to compile or configure Linux Toolbox packages so that they will prefer /opt/freeware/lib over /usr/lib?

Originally posted by: AncientAIXer

There are so many possible issues here. I have done a lot of work with the rpms since toolbox came out.

The first thing I would try is to install 64-bit idsldap.

I don't know where the ldap library in /opt/freeware/lib came from but you may not need it if you install the 64-bit library.  Unfortunately, the toolbox rpms are usually compiled in 64-bit code and cannot load 32-bit libraries.

Personally, I don't use the toolbox any more except for the rpms that are normally installed with the OS.  I get the rpms from http://www.oss4aix.org/download/ which is the download page from http://www.perzl.org.  Those are compiled by an IBM-er (or an ex-IBM-er) and run very well.  You can search for either and find many pages in IBM that reference them.

Originally posted by: sangameshm

Hi Willemse,

Surely we will rebuild sudo to look it's dependent library in /opt/freeware/lib first instead of /usr/lib.

We are now taking care of setting /opt/freeware/lib first for the library search path for the packages we are rebuilding.

Thanks,

Sangamesh

Originally posted by: sangameshm

I do see that sudoers.so has the /opt/freeware/lib first, need to see still why sudoers.so is failing.

                        ***Import File Strings***
INDEX  PATH                          BASE                MEMBER              
0      /opt/freeware/lib:/opt/freeware/libexec/sudo:/usr/vac/lib:/usr/lib:/lib                                         
1                                    libldap.a           libldap-2.4.so.2    
2                                    libs.a              shr.o               
3                                    liblber.a           liblber-2.4.so.2    
4                                    libsudo_util.so                         
5                                    libintl.a           libintl.so.1        
6                                    libz.a              libz.so.1           

Originally posted by: M.R. Willemse

Hi Sangamesh, Ancient One,

Thanks for your replies. I do in fact have the 64-bit LDAP client installed:

• idsldap.clt32bit62
• idsldap.clt64bit62
• idsldap.clt_max_crypto64bit62
• idsldap.cltbase62

The reason I have clt32bit62 installed is a pretty stupid one: mksecldap won't work without it. When you run mksecldap, it complains that ldap.client.rte isn't installed. I have a hate/hate relationship with mksecldap. I have renamed the /usr/lib/libldap.a, and I find I can still log in using ldap, even after a reboot, so I don't really need it, and sudo works. Which is OK for my hobby system, but I want to apply this at work. I find that mksecldap is not very high on IBM's priority list, but maybe that bug is fixed now. I'll see if I can run mksecldap without it now. If not, I can simply remove the /usr/lib link and all will be well.

I do know Michael Perzl's site, and it's much appreciated. I got my first version of Python running on AIX using his packages. Sadly, I work in a financial institution and they want things to come straight from IBM, for non-technical reasons. It Is Policy.

Cheers,

Menno.

ETA: Bah.

mksecldap: ldap.client.rte version 3.2 or higher is not installed.
client presetup check failed.
Error changing "SYSTEM" to ""LDAP"" : Value is invalid

Originally posted by: kevev

So wondering if this has been fixed yet. I just ran into this issue today. Needing to get away from compiling our own sudo with LDAP support. I thought IBM was going to fix this...

sudo: error in /etc/sudo.conf, line 19 while loading plugin `sudoers_policy'
sudo: unable to load /opt/freeware/libexec/sudo/sudoers.so:     0509-022 Cannot load module /opt/freeware/libexec/sudo/sudoers.so.
        0509-150   Dependent module /usr/lib/libldap.a(libldap-2.4.so.2) could not be loaded.
        0509-153   File /usr/lib/libldap.a is not an archive or
                   the file could not be read properly.
        0509-026 System error: Cannot run a file that does not have a valid format.
        0509-022 Cannot load module /opt/freeware/libexec/sudo/sudoers.so.
        0509-150   Dependent module /opt/freeware/libexec/sudo/sudoers.so could not be loaded.
sudo: fatal error, unable to load plugins

Originally posted by: AyappanP

Can you paste me the output of following commands ?

rpm -qa | grep sudo

rpm -qa | grep ldap

which sudo 

file <o/p of which sudo>

ldd <o/p of which sudo>

file /usr/lib/libldap.a

Originally posted by: kevev

root@hostname  #: rpm -qa|grep ldap
openldap-2.4.40-1
openldap-devel-2.4.40-1
root@hostname  #: which sudo
/usr/bin/sudo
root@hostname  #: file /usr/bin/sudo
/usr/bin/sudo: executable (RISC System/6000) or object module
root@hostname  #: ldd /usr/bin/sudo
/usr/bin/sudo needs:
         /opt/freeware/libexec/sudo/libsudo_util.so
         /usr/lib/libintl.a(libintl.so.1)
         /usr/lib/libc.a(shr.o)
         /usr/lib/librtl.a(shr.o)
         /usr/lib/libiconv.a(shr4.o)
         /unix
         /usr/lib/libcrypt.a(shr.o)
root@hostname  #: file /usr/lib/libldap.a
/usr/lib/libldap.a: executable (RISC System/6000) or object module not stripped

Originally posted by: AyappanP

It seems like your "/usr/lib/libldap.a " is coming from some other source. 

"/usr/lib/libldap.a: executable (RISC System/6000) or object module not stripped" --> not an archive.

Are you sure you are using only AIX toolbox sudo & openldap ?

Originally posted by: kevev

i am sure:

root@hostname  #: lppchk -l
root@hostname  #: lppchk -c

root@hostname  #: ls -la /usr/lib/libldap.a
lrwxrwxrwx    1 root     system           35 Apr 20 23:22 /usr/lib/libldap.a -> /opt/IBM/ldap/V6.3/lib/libidsldap.a
root@hostname  #: ls -la /opt/IBM/ldap/V6.3/lib/libidsldap.a
lrwxrwxrwx    1 root     system           35 Mar 31 15:27 /opt/IBM/ldap/V6.3/lib/libidsldap.a -> /opt/IBM/ldap/V6.3/lib/libibmldap.a
root@hostname  #: ls -la /opt/IBM/ldap/V6.3/lib/libibmldap.a
-rwxr-xr-x    1 root     system       733966 Jun 19 2012  /opt/IBM/ldap/V6.3/lib/libibmldap.a
root@hostname  #: file /opt/IBM/ldap/V6.3/lib/libibmldap.a
/opt/IBM/ldap/V6.3/lib/libibmldap.a: executable (RISC System/6000) or object module not stripped

root@hostname  #: cksum /opt/IBM/ldap/V6.3/lib/libibmldap.a
1814813555 733966 /opt/IBM/ldap/V6.3/lib/libibmldap.a

root@hostname  #: lslpp -w /opt/IBM/ldap/V6.3/lib/libibmldap.a
  File                                        Fileset               Type
  ----------------------------------------------------------------------------
  /opt/IBM/ldap/V6.3/lib/libibmldap.a
                           idsldap.clt_max_crypto32bit63.rte        File
root@hostname  #: oslevel -s
7200-00-01-1543

root@hostname  #: lppchk -v

Originally posted by: AyappanP

Seems like you have a different openldap fileset also. Do you require this ldap along with toolbox ldap ?

If that is the case, you can export LIBPATH=/opt/freeware/lib:/usr/lib and keep using sudo. Otherwise you can uninstall the installp ldap fileset.

Originally posted by: kevev

I thought openldap was the toolbox ldap. IBM ldap is in the fileset.

Openldap RPM is required for sudo RPM as we have sudoers entries in LDAP. IBM LDAP is required for user authentication. Exporting LIBPATH only works for root, but not for other users. They receive the same error as root did before exporting LIBPATH.

Originally posted by: AyappanP

So you require both IBM LDAP and Toolbox openldap ?

Originally posted by: kevev

I am sorry. I should have been more clear in my response. We need LDAP user authentication & sudo via LDAP. We have no need for 2 LDAP libraries as long as both requirements are met. We currently compile sudo with IBM LDAP support from source, but are attempting to get away from non-IBM supported software.

Originally posted by: AyappanP

Okay. I think AIX toolbox openldap & sudo will meet your requirements. You can remove IBM LDAP, reinstall toolbox openldap & sudo rpms and check.

Originally posted by: kevev

Thank You for the help. But I am not sure if I would feel comfortable doing that as the Toolbox page has this nasty disclaimer. Is there some way to have IBM fix the RPM?

No Warranty: The Code is provided "As is." To the extent permitted by applicable law, IBM disclaims all warranties either express or implied, including without limitation any warranty of non-infringement, noninterference, merchantability, or fitness for a particular purpose regarding the code or technical support, if any.

Originally posted by: AyappanP

"Is there some way to have IBM fix the RPM?" 

It's not the problem with RPM but the presence of IBM LDAP fileset in the machine that is creating the problem. You try removing IBM LDAP fileset and keep only AIX Toolbox openldap. 

Originally posted by: jherna3

I too am running AIX 7.1 on a bunch of LPAR's with the idsldap filesets installed for logging into AIX with AD credentials. I have gone out to the AIX Linux Toolbox site and downloaded the latest version of sudo and it's dependent software. The installation fails but I'm able to configure the software to perform sudo tasks. However on some servers when I run sudo by itself, I get the sudo help info. On other servers, it errors:

sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /opt/freeware/libexec/sudo/sudoers.so:     0509-022 Cannot load module /opt/freeware/libexec/sudo/sudoers.so.
        0509-150   Dependent module /usr/lib/libldap.a(libldap-2.4.so.2) could not be loaded.
        0509-153   File /usr/lib/libldap.a is not an archive or
                   the file could not be read properly.
        0509-026 System error: Cannot run a file that does not have a valid format.
        0509-022 Cannot load module /opt/freeware/libexec/sudo/sudoers.so.
        0509-150   Dependent module /opt/freeware/libexec/sudo/sudoers.so could not be loaded.
sudo: fatal error, unable to load plugins

It seems to me that there is some kind of contention between the idsldap filesets and the openldap rpm that is installed because of the sudo rpm. Has this issue been resolved?

Originally posted by: AyappanP

We have recently uploaded sudo rpm (named sudo_ids-1.8.20p2-1.aix6.1.ppc.rpm) which works with IBM LDAP. 

This rpm conflicts with the other sudo rpm which links with openldap. So users cannot have both rpms installed at the same time.

Users who have IBM ldap installed can make use of this sudo_ids rpm to avoid any library linking issues.