Bug 123877 - Undocumented change in default behavior preventing logins
Summary: Undocumented change in default behavior preventing logins
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap
Version: 4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
: 122129 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-05-21 08:41 UTC by Leonid Mamtchenkov
Modified: 2007-11-30 22:07 UTC (History)
5 users (show)

Fixed In Version: authconfig-4.6.10-rhel4.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-12 16:44:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Leonid Mamtchenkov 2004-05-21 08:41:44 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040211 Firefox/0.8

Description of problem:
nss_ldap-217-1 shipped with Fedora Linux Core 2 behaves differently
from previous versions.  Such as it is, it might prevent logins to the
system, if LDAP authentication uses TLS.

The error message reported in /var/log/messages is:
pam_ldap: ldap_starttls_s: Connect error

There are these lines in /etc/ldap.conf by default:

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
# tls_checkpeer yes

The simple change to:

tls_checkpeer no

fixes the problem.  It was not needed in previous versions, since the
default behavior was not to check peers.

Version-Release number of selected component (if applicable):
nss_ldap-217-1

How reproducible:
Always

Steps to Reproduce:
1. Use authconfig to configure LDAP authentication with TLS
2. Try to authenticate agains LDAP directory
3.
    

Actual Results:  Failed login and 'pam_ldap: ldap_starttls_s: Connect
error' message in /var/log/messages .

Expected Results:  Successful login.

Additional info:

Since it might prevent system logins on the updated machines, I will
give it a High priority.
Comment 1 Matthew West 2004-06-13 03:14:37 UTC 
This is a duplicate of bug # 122129.
Comment 2 Matthew Miller 2005-04-26 16:13:26 UTC 
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Comment 3 Richard Bullington-McGuire 2005-08-01 19:58:42 UTC 
This also affects RHEL 4.
Comment 4 Matthew Miller 2005-08-01 20:08:29 UTC 
moving to RHEL4 as per comment #3 -- more likely to get addressed there.
Comment 5 Tomas Mraz 2005-09-12 16:44:10 UTC 
Current authconfig in RHEL4 has a new functionality to create a directory where
you can put the appropriate CA certificate which signed your LDAP server's
certificate.

Note that it is unwise to put 'tls_checkpeer no' to the config file - you could
then disable tls completely because a man in the middle attack is easy when you
don't check the server's certificate.
Comment 6 Tomas Mraz 2005-09-12 16:48:51 UTC 
*** Bug 122129 has been marked as a duplicate of this bug. ***
Comment 7 Leonid Mamtchenkov 2005-09-24 08:39:47 UTC 
I agree that using 'tls_checkpeer no' is unwise.  But the problem is not in
that.  The problem is in the misleading comment in the /etc/ldap.conf file.  The
comment says that the default parameter for tls_checkpeer is 'no', when it is in
fact 'yes'.  This can (and did) result in a lot of confusion of why things don't
work.

I am NOT suggesting to change the default behavior.  I am suggesting to change
the comment in the file.
Note You need to log in before you can comment on or make changes to this bug.