Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1411346

Summary: OpenLDAP doesn't work in FIPS mode in RHEL-6
Product: Red Hat Enterprise Linux 6 Reporter: Alicja Kario <hkario>
Component: nss-softoknAssignee: nss-nspr-maint <nss-nspr-maint>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.8CC: kengert
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-08 16:34:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1387811    
Bug Blocks:    

Description Alicja Kario 2017-01-09 14:29:26 UTC 
Description of problem:
When OpenLDAP server is configured with a NSS database set up in FIPS mode, it is unable to process client requests.

Version-Release number of selected component (if applicable):
nss-softokn-3.14.3-23.3.el6_8


How reproducible:
Always

Steps to Reproduce:
1. Set up OpenLDAP with NSS database configured to FIPS mode
2. Try connecting to it using TLS
3.

Actual results:
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11 error.

Expected results:
TLS connection established

Additional info:
 Matus Honek traced it down to 
> #0  sftk_fipsCheck (hSession=18446744071562067969, pTemplate=0x7ffff2d4c680, ulCount=2, phObject=0x7ffff2d4c6b8) at fipstokn.c:200
> #1  FC_CreateObject (hSession=18446744071562067969, pTemplate=0x7ffff2d4c680, ulCount=2, phObject=0x7ffff2d4c6b8) at fipstokn.c:764
> #2  0x00007ffff6424bca in PK11_CreateNewObject (slot=0x7fffe4029a60, session=18446744071562067969, theTemplate=<value optimized out>, count=2, token=0, objectID=<value optimized out>) at pk11obj.c:381
> #3  0x00007ffff6434f46 in secmod_UserDBOp (slot=0x7fffe4029a60, objClass=3461563221, sendSpec=<value optimized out>, needlock=1) at pk11util.c:1281
> #4  0x00007ffff643573a in SECMOD_OpenNewSlot (mod=0x7fffe400d230, moduleSpec=<value optimized out>) at pk11util.c:1403
> #5  0x00007ffff79c1ba9 in tlsm_init_open_certdb (arg=0x7ffff83a3a30) at tls_m.c:1739
> #6  tlsm_deferred_init (arg=0x7ffff83a3a30) at tls_m.c:1854
> #7  tlsm_deferred_ctx_init (arg=0x7ffff83a3a30) at tls_m.c:2280
> #8  0x00007ffff5b83fc5 in PR_CallOnceWithArg (once=0x7ffff83a3a80, func=<value optimized out>, arg=<value optimized out>) at ../../../nspr/pr/src/misc/prinit.c:807
> #9  0x00007ffff79bf19b in tlsm_session_new (ctx=0x7ffff83a3a30, is_server=1) at tls_m.c:2667
> #10 0x00007ffff79bd8f4 in alloc_handle (ctx_arg=<value optimized out>, is_server=<value optimized out>) at tls2.c:296
> #11 0x00007ffff79bdf45 in ldap_pvt_tls_accept (sb=0x7fffe40008c0, ctx_arg=0x7ffff83a3a30) at tls2.c:418
> #12 0x00007ffff7e4b3a3 in connection_read (ctx=0x7ffff2d4cb70, argv=0x11) at ../../../servers/slapd/connection.c:1372
> #13 connection_read_thread (ctx=0x7ffff2d4cb70, argv=0x11) at ../../../servers/slapd/connection.c:1284
> #14 0x00007ffff7995ce8 in ldap_int_thread_pool_wrapper (xpool=0x7ffff82e2c40) at ../../../libraries/libldap_r/tpool.c:688
> #15 0x00007ffff5953aa1 in start_thread (arg=0x7ffff2d4d700) at pthread_create.c:301
> #16 0x00007ffff5495aad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
where the frame #0 seems to return CKR_USER_NOT_LOGGED_IN when checking for !isLoggedIn, which is 0 (zero). Why it is so I have no clue.

Bob has proposed a patch to fix it: attachment 1225994 [details]
Comment 1 Kai Engert (:kaie) (inactive account) 2017-01-11 14:14:40 UTC 
Adding a bit more context.

Details can be found in bug 1387811.

I believe the intention of this bug is to be a tracker, because the patch requires a change to softokn, but it's unknown when we might be able to update nss-softokn in RHEL 6.