From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Description of problem: Why split ldap.conf into pam-ldap.conf and nss-ldap.conf: When using pam_ldap for authentications, most servers are configured to accept only TLS/SSL connections when doing a none-anon bind. This is, of course, because sending cleartext passwords is bad idea. Usually the LDAP-server is configured to reject bind-attempts, and so it should. Therefore you'll set "ssl start_tls" or use "uri ldaps://127.0.0.1/" or something. The problem with the 'nss_ldap' package on RedHat is that it contains both pam_ldap and nss_ldap, and just one config-file. When replacing eg. NIS with LDAP, you need nss_ldap for other nameservice information. This work just fine, but these searches are also encrypted. Encrypting every connection to the LDAP-server is overkill to say the least. It generates both extra waiting, and load on the server. /etc/ldap.conf is also a default config file for other LDAP-based software. It is read by libldap(OpenLDAP) to determine stuff like extra certificates and such. If you tweak ldap.conf with, say "base cn=NIS,dc=redhat,dc=com" because you only want to search through relevant information when using {pam|nss}_ldap, other programs could fail. Setting a special base for {pam|nss}_ldap is optional, but often reduces the load on the server (depends on what other info is stored on the server). Optimally you want to use "pam_ldap_base cn=users,cn=NIS,dc=redhat,dc=com" and "nss_ldap_base cn=NIS,dc=redhat,dc=com". The main problem is either full encryption or no encryption at all. Version-Release number of selected component (if applicable): nss_ldap-202-5
*** Bug 103569 has been marked as a duplicate of this bug. ***
Red Hat apologizes that these issues have not been resolved yet. We do want to make sure that no important bugs slip through the cracks. Red Hat Linux 7.3 and Red Hat Linux 9 are no longer supported by Red Hat, Inc. They are maintained by the Fedora Legacy project (http://www.fedoralegacy.org/) for security updates only. If this is a security issue, please reassign to the 'Fedora Legacy' product in bugzilla. Please note that Legacy security update support for these products will stop on December 31st, 2006. If this is not a security issue, please check if this issue is still present in a current Fedora Core release. If so, please change the product and version to match, and check the box indicating that the requested information has been provided. If you are currently still running Red Hat Linux 7.3 or 9, please note that Fedora Legacy security update support for these products will stop on December 31st, 2006. You are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Any bug still open against Red Hat Linux 7.3 or 9 at the end of 2006 will be closed 'CANTFIX'. Again, if this bug still exists in a current release, or is a security issue, please change the product as necessary. We thank you for your help, and apologize again that we haven't handled these issues to this point.
I've updated this bug to Red Hat Enterprise Linux 4, since it persists in the latest nss_ldap release. A work-around exists: One can specify 'config=/path/to/ldap.conf' for pam_ldap.so, but I still think that this is a clumsy and unnecessary approach. Clients that need LDAP for both authentication and authorisation need a split configuration. Other distributions, e.g. Debian, use different configuration files for PAM and NSS. I think RHEL should too.
We're not going to change this in an update -- it'll have to be done on the development stream so that it takes effect during a major version upgrade. Marking #553857 as a blocker for this, as it falls out of splitting the two into separate packages, which is what we're doing there. Marking as deferred to that future release.