Originally posted by: sanket

sudo with IBM Directory Server (IDS) is now available on AIX toolbox.

https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/sudo_ids-1.8.20p2-1.aix6.1.ppc.rpm

The sudo with IDS support (sudo_ids-1.8.20p2-1.aix6.1.ppc.rpm) is exclusive to sudo with open ldap support (sudo-1.8.20p2-3.aix6.1.ppc.rpm). 

This means only one sudo can be installed on the AIX system.

You can also use yum to install toolbox packages on your AIX machine.

Originally posted by: H4R01D

Hi,

I've the following error with libibmldap.a when I try to install sudo_ids.

Do you know how to AIX-rpm to provide the required library?

Thanks,

Harold.

root@SERVER:/:=>yum install sudo_ids
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package sudo_ids.ppc 0:1.8.20p2-1 will be installed
--> Processing Dependency: libibmldap.a for package: sudo_ids-1.8.20p2-1.ppc
--> Finished Dependency Resolution
Error: Package: sudo_ids-1.8.20p2-1.ppc (AIX_Toolbox)
           Requires: libibmldap.a
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
root@SERVER:/:=>
root@SERVER:/:=>rpm -q AIX-rpm --provides | grep ldap
idsldap_plugin_ibm_gsskrb.a  
idsldap_plugin_sasl_digest-md5.a  
libibmldapdbg.a  
libibmldapn.a  
libidsldap.a  
libidsldapiconv.a  
libsecldapaudit.a(shr.o)  
libsecldapaudit64.a(shr.o)  
nis_ldap.so  
nis_ldap_64.so  
rpcldap.so  
root@SERVER:/:=>
root@SERVER:/:=>ls -l /opt/IBM/ldap/V6.2/lib/*libibmldap*
lrwxrwxrwx    1 root     system           36 Apr 24 2015  /opt/IBM/ldap/V6.2/lib/libibmldap.a -> /opt/IBM/ldap/V6.2/lib/libibmldapn.a
-rwxr-xr-x    1 root     system        32544 Jun 24 2013  /opt/IBM/ldap/V6.2/lib/libibmldapdbg.a
-rwxr-xr-x    1 root     system       628246 Jun 24 2013  /opt/IBM/ldap/V6.2/lib/libibmldapn.a
lrwxrwxrwx    1 root     system           42 Apr 24 2015  /opt/IBM/ldap/V6.2/lib/libibmldapstatic.a -> /opt/IBM/ldap/V6.2/lib/libibmldapstaticn.a
-rwxr-xr-x    1 root     system       967067 Jun 24 2013  /opt/IBM/ldap/V6.2/lib/libibmldapstaticn.a
root@SERVER:/:=>

Originally posted by: AyappanP

It seems like you have forgotten to create the links for the libraries and/or all filesets are not installed properly.

# lslpp -l | grep idsldap
  idsldap.clt32bit63.rte    6.3.0.46  COMMITTED  Directory Server - 32 bit
  idsldap.clt64bit63.rte    6.3.0.46  COMMITTED  Directory Server - 64 bit
  idsldap.clt_max_crypto32bit63.rte
  idsldap.clt_max_crypto64bit63.rte
  idsldap.cltbase63.adt     6.3.0.46  COMMITTED  Directory Server - Base Client
  idsldap.cltbase63.rte     6.3.0.46  COMMITTED  Directory Server - Base Client
  idsldap.cltjava63.rte     6.3.0.46  COMMITTED  Directory Server - Java Client
  idsldap.license63.rte     6.3.0.46  COMMITTED  Directory Server - License
  idsldap.msg63.en_US       6.3.0.46  COMMITTED  Directory Server - Messages -
  idsldap.srv64bit63.rte    6.3.0.46  COMMITTED  Directory Server - 64 bit
  idsldap.srv_max_cryptobase64bit63.rte
  idsldap.srvbase64bit63.rte
  idsldap.srvproxy64bit63.rte
  idsldap.webadmin63.rte    6.3.0.46  COMMITTED  Directory Server - Web
  idsldap.webadmin_max_crypto63.rte
  idsldap.clt32bit63.rte    6.3.0.46  COMMITTED  Directory Server - 32 bit
  idsldap.clt64bit63.rte    6.3.0.46  COMMITTED  Directory Server - 64 bit
  idsldap.cltbase63.rte     6.3.0.46  COMMITTED  Directory Server - Base Client
  idsldap.srvbase64bit63.rte
  idsldap.srvproxy64bit63.rte

Execute this command  " /opt/IBM/ldap/V6.2/bin/idslink -l 32 -l 64 " . This will create a softlink /usr/lib/libibmldap.a pointing to libidsldap.a in the /opt directory.

After this run "updtvpkg" command to update the rpm database. 

Originally posted by: H4R01D

Thanks for your help @AyappanP 43b0c085-7945-4b4f-8d26-6f7252a212b8!!

The soft link is already there, I ran the idslink and updtvpkg over again just to be sure, but I've the same result.

Think is, soft link /usr/lib/libibmldap.a points to /opt/IBM/ldap/V6.2/lib/libibmldapn.a instead of /opt/IBM/ldap/V6.2/lib/libidsldap.a as you mention.

I'm not sure, but my guess is that this is correct, and it's the reason why AIX-rpm provides libibmldapn.a instead of libibmldap.a, and so sudo_ids package dependencies should be updated accordingly... but you may better know than me.

Thanks,

Harold.

root@SERVER:/:=>ls -la /usr/lib/libibmldap.a         
lrwxrwxrwx    1 root     system           36 Oct  8 05:04 /usr/lib/libibmldap.a -> /opt/IBM/ldap/V6.2/lib/libibmldapn.a
root@SERVER:/:=>rpm -q AIX-rpm --provides | grep libibmldap
libibmldapdbg.a  
libibmldapn.a  
root@SERVER:/:=>

Originally posted by: AyappanP

So it seems like a problem with your idsldap installation. Some filesets are not correctly installed.

Compare your output of "lslpp -l | grep idsldap" with my output above. If they are not matching , you need to reinstall all the filesets again. 

Better use "smit install" rather than installp. 

Originally posted by: H4R01D

I was missing a couple of packages.... Many thanks @AyappanP 43b0c085-7945-4b4f-8d26-6f7252a212b8!!!!

Originally posted by: H4R01D

Hi @AyappanP 43b0c085-7945-4b4f-8d26-6f7252a212b8

I'm still dealing with sudo_ids configuration. I've the following error:

root@SERVER:/:=>sudo -l
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
root@SERVER:/:=>

At first I tough it was idsldap version. Because when I run "sudo -V", output says sudo was compiled with ldap path: /opt/IBM/ldap/V6.3, and I had V6.2. I could manage to install V6.3.1, and created a soft link from /opt/IBM/ldap/V6.3 to point at /opt/IBM/ldap/V6.3.1... unfortunately I had the same error.

Wondering if you have any clue.

Thanks,

Harold.

PD: I already have /etc/ldap.conf in place.

Originally posted by: AyappanP

From the error, it seems like the problem is with /etc/sudoers file. Check this file and make sure you use visudo command to edit it.

Originally posted by: H4R01D

Actually, I'm not using /etc/sudoers, just LDAP.

This is our /etc/netsvc.conf file:

root@SERVER:/:=>tail -3 /etc/netsvc.conf
hosts=local4,bind4
sudoers=ldap

Rgrds.

PD: Just to double check, I enabled sudoers file on netsvc.conf and grant sudo to root user, and it worked as intended.

Originally posted by: AyappanP

Just reproduced the issue in my environment. I don't have much expertise on this stuff. I will check with the AIX security team & Directory server team regarding this and get back to you.

Meantime you can put an entry "SUDOERS_DEBUG 2" inside the ldap conf file to get more info about this issue.