Bug 593242
Summary: | nss_ldap does not handle "unreadable" certificate files when resolving usernames and groups and using TLS. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Sander <bugzilla> |
Component: | nss_ldap | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.5 | CC: | bugzilla, dpal, dspurek, jhrozek, jplans, omoris |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nss_ldap-253-46.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-21 06:38:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 609722, 811468 | ||
Bug Blocks: |
Description
Sander
2010-05-18 10:00:36 UTC
In this case the cert is not readable by anybody including the nss_ldap module. It is unclear what expectation do you have? It is definitely wrong to expect that nss_ldap would work if the cert is not readable. There is a valid certificate in the directory, adding a file that is not world readable (chmod 0640 is sufficient) causes TLS to stop working. (while the original certificate is still readable). My expectation in this case would be for for nss_ldap to ignore the unreadable file(s) and use the readable one(s). (In reply to comment #2) > There is a valid certificate in the directory, adding a file that is not world > readable (chmod 0640 is sufficient) causes TLS to stop working. (while the > original certificate is still readable). > > My expectation in this case would be for for nss_ldap to ignore the unreadable > file(s) and use the readable one(s). Ok thanks for the clarification. Now it makes more sense. The place this needs to be fixed is actually openldap's libldap. Opening a bug against that component and marking it as a blocker of this one. Once that's fixed, we need rebuild against it to pick up the fix in nss_ldap, which is why I'm not simply reassigning it. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. nss_ldap-253-46.el5 BuildRequires openldap >= 2.3.43-20 and was rebuilt against -23 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0268.html |