Bug 760856

Summary: nss-pam-ldapd not work with certificates in nss db
Product: Red Hat Enterprise Linux 6 Reporter: David Spurek <dspurek>
Component: nss-pam-ldapdAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: dpal, jhrozek, ksrot, omoris, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-19 12:06:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
reproduce test none

Description David Spurek 2011-12-07 07:10:30 UTC 
Description of problem:
nss-pam-ldapd not work with certificates in nss db. /etc/nslcd.conf set up with tls_cacertdir /tmp/pam_ldap-nssdb instead of typical tls_cacertdir /etc/openldap/cacerts (using openssl)

Version-Release number of selected component (if applicable):
nss-pam-ldapd-0.7.5-14

How reproducible:
always

Steps to Reproduce:
Run script in attachement (tls.sh from script.tar.gz) or do this steps

1.create nss db and put CA certificate to it
mkdir /tmp/pam_ldap-nssdb && certutil -d /tmp/pam_ldap-nssdb -A -n 'CA cert' -t CT,, -a -i cacert.pem

2.authconfig --enableldap --enableldaptls --enableldapauth --updateall \
  --ldapbasedn dc=my-domain,dc=com --ldapserver ldap://my-domain.com

3.setup /etc/nslcd.conf with:

ssl start_tls
tls_reqcert demand
tls_cacertdir /tmp/pam_ldap-nssdb
binddn cn=Manager,dc=my-domain,dc=com
bindpw x
service nslcd restart & sleep 5

4.setup pam_ldap with sslpath instead of tls_cacertdir in /etc/pam_ldap

sslpath /tmp/pam_ldap-nssdb

5. run getent passwd ldapuser
  
Actual results:
fail

Expected results:
pass with 
ldapuser:{SSHA}A41wdK4LTqBbyqqeWxHARusxQClMYwTy:1001:1000:ldapuser:/home/ldapuser:/bin/bash

Additional info:
ldapsearch with nss db and using tls work (ldapsearch -H ldap://my-domain.com -x -ZZ '*')

getent passwd ldapuser work after change in /etc/nslcd.conf with tls_cacertdir /etc/openldap/cacerts/ and service nslcd restart
Comment 1 David Spurek 2011-12-07 07:11:23 UTC 
Created attachment 541741 [details]
reproduce test
Comment 2 Jakub Hrozek 2011-12-07 09:25:49 UTC 
From openldap library perspective all we should do is set the CACERTDIR to where the NSS database is, that's what ldapsearch does as well. It indeed seems like a nss-pam-ldapd bug at first sight, although I still need to do more investigation.
Comment 4 Suzanne Logcher 2012-02-14 23:23:11 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 5 Karel Srot 2012-07-30 13:57:26 UTC 
Hi David,
could it be because of SELinux? /tmp/ is not common place for certificates.
Comment 6 David Spurek 2012-07-31 06:52:17 UTC 
Hi Karel,
I think that is not because selinux. I haven't seen any avc messages.

In /var/log/messages is:

Jul 31 02:45:31 rhel62 nslcd[3280]: [8b4567] failed to bind to LDAP server ldap://my-domain.com: Connect error
Jul 31 02:45:31 rhel62 nslcd[3280]: [8b4567] no available LDAP server found


In /var/log/slpad.log I see:

Jul 31 02:45:31 rhel62 slapd[3118]: slap_listener_activate(7): 
Jul 31 02:45:31 rhel62 slapd[3118]: slap_listener_activate(7): 
Jul 31 02:45:31 rhel62 slapd[3118]: >>> slap_listener(ldap:///)
Jul 31 02:45:31 rhel62 slapd[3118]: >>> slap_listener(ldap:///)
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 fd=14 ACCEPT from IP=127.0.0.1:508
61 (IP=0.0.0.0:389)
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 fd=14 ACCEPT from IP=127.0.0.1:508
61 (IP=0.0.0.0:389)
Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on i
d=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on i
d=1010
Jul 31 02:45:31 rhel62 slapd[3118]: op tag 0x77, time 1343717131
Jul 31 02:45:31 rhel62 slapd[3118]: op tag 0x77, time 1343717131
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 do_extended
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 do_extended
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 EXT oid=1.3.6.1.4.1.1466.2003
7
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 EXT oid=1.3.6.1.4.1.1466.2003
7
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 STARTTLS
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 STARTTLS
Jul 31 02:45:31 rhel62 slapd[3118]: send_ldap_extended: err=0 oid= len=0
Jul 31 02:45:31 rhel62 slapd[3118]: send_ldap_extended: err=0 oid= len=0
Jul 31 02:45:31 rhel62 slapd[3118]: send_ldap_response: msgid=1 tag=120 err=0
Jul 31 02:45:31 rhel62 slapd[3118]: send_ldap_response: msgid=1 tag=120 err=0
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 RESULT oid= err=0 text=
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 RESULT oid= err=0 text=
Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on id=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on id=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on id=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on id=1010
Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): TLS accept failure error=-1 id=1010, closing
Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): TLS accept failure error=-1 id=1010, closing
Jul 31 02:45:31 rhel62 slapd[3118]: connection_close: conn=1010 sd=14
Jul 31 02:45:31 rhel62 slapd[3118]: connection_close: conn=1010 sd=14
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 fd=14 closed (TLS negotiation failure)
Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 fd=14 closed (TLS negotiation failure)
Comment 8 RHEL Program Management 2013-10-14 00:53:16 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.