Bug 135228 - pam_ldap does not work without "host" entry in ldap.conf
pam_ldap does not work without "host" entry in ldap.conf
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: nss_ldap (Show other bugs)
2
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-10 22:10 EDT by stamfest
Modified: 2008-08-02 19:40 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-25 16:35:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description stamfest 2004-10-10 22:10:53 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113

Description of problem:
The version of pam_ldap included with nss_ldap-217-1 has been patched
to   misinterpret the ldap.conf file.

If no "host" entry has been specified in ldap.conf, pam_ldap tries to
do a DNS SRV lookup of the LDAP service. If this cannot be found,
authentication fails. 

However, this breaks down if one uses a LDAP-URI using the "uri"
configuration option in ldap.conf and no "host" option.

Unfortunatly, the module fails silently without indicating the problem
(A syslog message would have been helpful, so the patch is incomplete).

Version-Release number of selected component (if applicable):
nss_ldap-217-1

How reproducible:
Always

Steps to Reproduce:
1. Use no "host" line in ldap.conf, only uri
2. Try to authenticate via pam_ldap when not having a SRV entry in DNS
3. Authentication will fail
    

Actual Results:  Authentication fails, or even worse (if SRV Entry
exists in DNS but points to wrong DNS server): authentication against
wrong server and thus possibly a security problem. (somebody feeling
like sending this to bugtraq ;-)  )

Expected Results:  Authentication should succeed against the server
named in the "uri" config line.

Additional info:
Comment 1 Chris Hills 2005-01-18 04:30:32 EST
This affects x86_64 too.
Comment 2 Matthew Miller 2005-04-26 12:39:44 EDT
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Comment 3 John Thacker 2006-10-25 16:35:16 EDT
Closing per lack of response.  Also note that FC1 and FC2 are no longer
supported even by Fedora Legacy.  If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy.  If it still occurs on FC5 or FC6,
please reopen and assign to the correct version.

Note You need to log in before you can comment on or make changes to this bug.