Red Hat Bugzilla – Bug 135228
pam_ldap does not work without "host" entry in ldap.conf
Last modified: 2008-08-02 19:40:33 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113
Description of problem:
The version of pam_ldap included with nss_ldap-217-1 has been patched
to misinterpret the ldap.conf file.
If no "host" entry has been specified in ldap.conf, pam_ldap tries to
do a DNS SRV lookup of the LDAP service. If this cannot be found,
However, this breaks down if one uses a LDAP-URI using the "uri"
configuration option in ldap.conf and no "host" option.
Unfortunatly, the module fails silently without indicating the problem
(A syslog message would have been helpful, so the patch is incomplete).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use no "host" line in ldap.conf, only uri
2. Try to authenticate via pam_ldap when not having a SRV entry in DNS
3. Authentication will fail
Actual Results: Authentication fails, or even worse (if SRV Entry
exists in DNS but points to wrong DNS server): authentication against
wrong server and thus possibly a security problem. (somebody feeling
like sending this to bugtraq ;-) )
Expected Results: Authentication should succeed against the server
named in the "uri" config line.
This affects x86_64 too.
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Closing per lack of response. Also note that FC1 and FC2 are no longer
supported even by Fedora Legacy. If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy. If it still occurs on FC5 or FC6,
please reopen and assign to the correct version.