Bug 854084
Summary: | useradd has long delays when ldap is configured; name_connect system_u:object_r:ldap_port_t:s0 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Wendell Baker <wendellcraigbaker> | ||||
Component: | shadow-utils | Assignee: | Tomas Mraz <tmraz> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 16 | CC: | mgrepl, pvrabec, tmraz | ||||
Target Milestone: | --- | Keywords: | SELinux | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-09-04 10:35:27 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
And the alert tells you what to do. #This avc can be allowed using one of the these booleans: # authlogin_nsswitch_use_ldap, allow_ypbind If you execute in your terminal # setsebool -P authlogin_nsswitch_use_ldap 1 will allow it. |
Created attachment 609499 [details] sealert explaining that useradd cannot connect to the ldap port Description of problem: ldap is configured useradd appears to "hang", but merely takes a very long time before giving up Version-Release number of selected component (if applicable): shadow-utils-4.1.4.3-13.fc16.i686 selinux-policy-3.10.0-91.fc16.noarch How reproducible: very Steps to Reproduce: 1. set up ldap, on the current host 2. sudo groupadd -g 999 anyname 3. sudo useradd -g anyname anyname 4. wait five minutes 5. done (tail /etc/passwd) Actual results: after a delay of ~5 min the user is created. Expected results: the local user 'anyname' should be created quickly or disapproved quickly. Additional info: tcpdump shows that no traffic is occurring to port ldap (389) or ldaps (636) /var/log/messages indicates selinux issues ges. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 Sep 3 18:16:38 wrinklie setroubleshoot: SELinux is preventing /usr/sbin/useradd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 Sep 3 18:16:38 wrinklie setroubleshoot: SELinux is preventing /usr/sbin/useradd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 Sep 3 18:16:42 wrinklie setroubleshoot: SELinux is preventing /usr/sbin/useradd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 Sep 3 18:16:50 wrinklie setroubleshoot: SELinux is preventing /usr/sbin/useradd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 Sep 3 18:17:06 wrinklie setroubleshoot: SELinux is preventing /usr/sbin/useradd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 The sealert output is included nearby. Related issues which don't quite seem relevant are (were) 466794 useradd -r loops when talking to ldap server CLOSED WONTFIX 511813 useradd -r loops when talking to ldap server CLOSED ERRATA