Wednesday, August 22, 2018

sudo: ldap_start_tls_s(): Connect error

A quick hint for FreeBSD users of sudo that authorize via LDAP. If you're getting the following message when running sudo:

sudo: ldap_start_tls_s(): Connect error

associated with this error message in the logs:

sudo: in openpam_check_error_code(): pam_sm_authenticate(): unexpected return value 27

Check that your ldap.conf TLS parameters are correct! In my case, Ansible pushed a bunch of pending config changes (and an OS update) to a neglected host, one of which included moving the CA certificate file, but failed to update the ldap.conf file. I chased my tail for a bit, thinking the issue was with nslcd.conf.

You may also notice a corresponding error in the log of the LDAP server. In the case of slapd:

slapd[40731]: conn=4892528 fd=219 closed (TLS negotiation failure)