Bug 55283
Summary: | nss_ldap, pam_ldap not authentificating against openldap server | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | jehan procaccia <jehan.procaccia> |
Component: | nss_ldap | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED NOTABUG | QA Contact: | Aaron Brown <abrown> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.2 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-07-13 13:19:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
jehan procaccia
2001-10-29 08:58:29 UTC
Very similar problem from barry.ac.nz Have ldap authentication using TLS working with RH7.1 kernel 2.4.3-12 (openldap 2.0.11-8, openssh 2.5.2p2-5, nss_ldap 149-4, openssl 0.9.6-9) on a 800MHz 686. When upgrade client to 7.2 kernel 2.4.7-10 (openldap 2.0.11-13, openssh 2.9p2-12, nss_ldap 172-2, openssl 0.9.6b-8) it will not authenticate to either 7.2 or 7.1 server. An existing 7.1 client will ldap authenticate to the 7.2 server. Failure of TLS apparent when upgrading nss_ldap. Removing TLS requirement fixes problem but password is now clear text. The above changes to /etc/pam.d/login is not a fix for this problem. Client snip from /var/log/messages client1 login(pam_unix)[16563]: check pass; user unknown client1 login(pam_unix)[16563]: authentication failure; logname= uid=0 euid=0 tty=tty1 ruser= rhost= Dec 14 13:17:32 client1 login[16563]: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT) :Unknown error client1 login[16563]: pam_ldap: _set_ssl_default_options failed client1 login[16563]: pam_ldap: ldap_starttls_s: Connect error client1 login[16563]: FAILED LOGIN 1 FROM (null) FOR sastaff, Authentication failure client1 login(pam_unix)[16563]: check pass; user unknown client1 login(pam_unix)[16563]: could not identify user (from getpwnam(sastaff)) client1 login[16563]: User not known to the underlying authentication module client1 login(pam_unix)[16563]: 1 more authentication failure; logname=uid=0 euid=0 tty=tty1 ruser= rhost= I believe a seperate openldap problem is resulting in the ldap_start_tls_s error. Please ignore previous comment, the problem was that the SSL certificate was not signed with the FQDN hostname. openldap and nss_ldap released with 7.1 were not as strict as the 7.2 releases. |