Hi Dan,
many thanks : with your guidance, I found where the problem came from, and I think it's almost fixed (not fully though).
Ok : the situation is that I use layer between my machines and the ldap server (aka : sssd). The sssd package depends on sasl libraries : that's why it is installed on my boxes even if I don't usally use it.
The first thing is that I don't understand is : why the same command "ldapsearch -ZZZ -h ldaphost ..." works fine on redhat 6 and failed on redhat 5 (only works with '-x' on redhat5. I've noted your agurment that this is the default behaviour).
Anyway, I saw where my authentication problem came from : On redhat5 I need to tell nsswitch NOT to use sssd to get SUDOER database bcause this is not supported before redhat6. So my nswitch.conf looks like this :
# cat /etc/nsswitch.conf
sudoers: ldap
passwd: files sss
shadow: files sss
group: files sss
...
So I had to configure /etc/ldap.conf to include all relevant information for talking with the ldap server and get the sudoer db from ldap.
The problem is that I have not found which option I should use in ldap.conf to say NOT to use sasl when binding the ldap directory (aka the equivalent of '-x').
I have found two workarounds to make it work alyhough, but those methods are not good to me :
1/ First method is to remove those two lines :
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
from /etc/ldap.conf
-> ok, it works but now the user password circulate in clear over the sudo processe.
2/ second method is to configure a proxy "binddn" in /etc/ldap.conf.
when I do that, it appears that then I can I leave "starttls" in the file, sasl is not called over the sudo process and it works.
The problem : to make it work I need to declare the "bindpw" in /etc/ldap.conf and I don't like that at all.
(BTW, I have not bee able to make it work with a disctinct /etc/ldap.secret)
Ok question : is there an option that I could install in /etc/ldap.conf to telle NOT to use sasl (aka : equivalent of '-x' for ldapsearch).
Hope the issue/diag is clear,
If there is no other way, I suspect that I could try to create x509 certificates for my redhat5 machines and bind using an "external" SASL mecanism. But I beleive that with this method the ACL configuration on the server side can quickly become a nightmare.
Any thougt, guidance ?
Thanks,
---
Olivier