From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040211 Firefox/0.8 Description of problem: nss_ldap-217-1 shipped with Fedora Linux Core 2 behaves differently from previous versions. Such as it is, it might prevent logins to the system, if LDAP authentication uses TLS. The error message reported in /var/log/messages is: pam_ldap: ldap_starttls_s: Connect error There are these lines in /etc/ldap.conf by default: # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is "no" # tls_checkpeer yes The simple change to: tls_checkpeer no fixes the problem. It was not needed in previous versions, since the default behavior was not to check peers. Version-Release number of selected component (if applicable): nss_ldap-217-1 How reproducible: Always Steps to Reproduce: 1. Use authconfig to configure LDAP authentication with TLS 2. Try to authenticate agains LDAP directory 3. Actual Results: Failed login and 'pam_ldap: ldap_starttls_s: Connect error' message in /var/log/messages . Expected Results: Successful login. Additional info: Since it might prevent system logins on the updated machines, I will give it a High priority.
This is a duplicate of bug # 122129.
Fedora Core 2 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC3 updates or in the FC4 test release, reopen and change the version to match.
This also affects RHEL 4.
moving to RHEL4 as per comment #3 -- more likely to get addressed there.
Current authconfig in RHEL4 has a new functionality to create a directory where you can put the appropriate CA certificate which signed your LDAP server's certificate. Note that it is unwise to put 'tls_checkpeer no' to the config file - you could then disable tls completely because a man in the middle attack is easy when you don't check the server's certificate.
*** Bug 122129 has been marked as a duplicate of this bug. ***
I agree that using 'tls_checkpeer no' is unwise. But the problem is not in that. The problem is in the misleading comment in the /etc/ldap.conf file. The comment says that the default parameter for tls_checkpeer is 'no', when it is in fact 'yes'. This can (and did) result in a lot of confusion of why things don't work. I am NOT suggesting to change the default behavior. I am suggesting to change the comment in the file.