Red Hat Bugzilla – Bug 123877
Undocumented change in default behavior preventing logins
Last modified: 2007-11-30 17:07:12 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Description of problem:
nss_ldap-217-1 shipped with Fedora Linux Core 2 behaves differently
from previous versions. Such as it is, it might prevent logins to the
system, if LDAP authentication uses TLS.
The error message reported in /var/log/messages is:
pam_ldap: ldap_starttls_s: Connect error
There are these lines in /etc/ldap.conf by default:
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
# tls_checkpeer yes
The simple change to:
fixes the problem. It was not needed in previous versions, since the
default behavior was not to check peers.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use authconfig to configure LDAP authentication with TLS
2. Try to authenticate agains LDAP directory
Actual Results: Failed login and 'pam_ldap: ldap_starttls_s: Connect
error' message in /var/log/messages .
Expected Results: Successful login.
Since it might prevent system logins on the updated machines, I will
give it a High priority.
This is a duplicate of bug # 122129.
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
This also affects RHEL 4.
moving to RHEL4 as per comment #3 -- more likely to get addressed there.
Current authconfig in RHEL4 has a new functionality to create a directory where
you can put the appropriate CA certificate which signed your LDAP server's
Note that it is unwise to put 'tls_checkpeer no' to the config file - you could
then disable tls completely because a man in the middle attack is easy when you
don't check the server's certificate.
*** Bug 122129 has been marked as a duplicate of this bug. ***
I agree that using 'tls_checkpeer no' is unwise. But the problem is not in
that. The problem is in the misleading comment in the /etc/ldap.conf file. The
comment says that the default parameter for tls_checkpeer is 'no', when it is in
fact 'yes'. This can (and did) result in a lot of confusion of why things don't
I am NOT suggesting to change the default behavior. I am suggesting to change
the comment in the file.