[Freeipa-users] Best place to start debugging sudo issue

[Rob Crittenden]

Bret Wortman wrote:
> One some of my nodes, attempting to sudo yields this:
>
> $ sudo su -
> sudo: ldap_start_tls_s(): Connect error
> [sudo] password for bretw:
>
> When the policy for my account is set up for !authenticate on all systems.
>
> On my own workstation, and most of our systems, it works just fine. But
> on a few, this is happening. What's the best way to start debugging
> this? I'm not looking for someone to do the work for me, but some
> pointers to the right logfiles or extra flags would be helpful.

Add 'sudoers_debug: 2' to the sudo ldap configuration file.

Check the DS access log on the IPA server this connects to for SSL errors.

You should have these set:

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

rob