Bug 123877 - Undocumented change in default behavior preventing logins
Undocumented change in default behavior preventing logins
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
: 122129 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2004-05-21 04:41 EDT by Leonid Mamtchenkov
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version: authconfig-4.6.10-rhel4.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-12 12:44:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Leonid Mamtchenkov 2004-05-21 04:41:44 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040211 Firefox/0.8

Description of problem:
nss_ldap-217-1 shipped with Fedora Linux Core 2 behaves differently
from previous versions.  Such as it is, it might prevent logins to the
system, if LDAP authentication uses TLS.

The error message reported in /var/log/messages is:
pam_ldap: ldap_starttls_s: Connect error

There are these lines in /etc/ldap.conf by default:

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
# tls_checkpeer yes

The simple change to:

tls_checkpeer no

fixes the problem.  It was not needed in previous versions, since the
default behavior was not to check peers.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Use authconfig to configure LDAP authentication with TLS
2. Try to authenticate agains LDAP directory

Actual Results:  Failed login and 'pam_ldap: ldap_starttls_s: Connect
error' message in /var/log/messages .

Expected Results:  Successful login.

Additional info:

Since it might prevent system logins on the updated machines, I will
give it a High priority.
Comment 1 Matthew West 2004-06-12 23:14:37 EDT
This is a duplicate of bug # 122129.
Comment 2 Matthew Miller 2005-04-26 12:13:26 EDT
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Comment 3 Richard Bullington-McGuire 2005-08-01 15:58:42 EDT
This also affects RHEL 4.
Comment 4 Matthew Miller 2005-08-01 16:08:29 EDT
moving to RHEL4 as per comment #3 -- more likely to get addressed there.
Comment 5 Tomas Mraz 2005-09-12 12:44:10 EDT
Current authconfig in RHEL4 has a new functionality to create a directory where
you can put the appropriate CA certificate which signed your LDAP server's

Note that it is unwise to put 'tls_checkpeer no' to the config file - you could
then disable tls completely because a man in the middle attack is easy when you
don't check the server's certificate.
Comment 6 Tomas Mraz 2005-09-12 12:48:51 EDT
*** Bug 122129 has been marked as a duplicate of this bug. ***
Comment 7 Leonid Mamtchenkov 2005-09-24 04:39:47 EDT
I agree that using 'tls_checkpeer no' is unwise.  But the problem is not in
that.  The problem is in the misleading comment in the /etc/ldap.conf file.  The
comment says that the default parameter for tls_checkpeer is 'no', when it is in
fact 'yes'.  This can (and did) result in a lot of confusion of why things don't

I am NOT suggesting to change the default behavior.  I am suggesting to change
the comment in the file.

Note You need to log in before you can comment on or make changes to this bug.