Bug 135228 - pam_ldap does not work without "host" entry in ldap.conf
Summary: pam_ldap does not work without "host" entry in ldap.conf
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nss_ldap
Version: 2
Hardware: i686
OS: Linux
medium
high
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-10-11 02:10 UTC by stamfest
Modified: 2008-08-02 23:40 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-10-25 20:35:16 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description stamfest 2004-10-11 02:10:53 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113

Description of problem:
The version of pam_ldap included with nss_ldap-217-1 has been patched
to   misinterpret the ldap.conf file.

If no "host" entry has been specified in ldap.conf, pam_ldap tries to
do a DNS SRV lookup of the LDAP service. If this cannot be found,
authentication fails. 

However, this breaks down if one uses a LDAP-URI using the "uri"
configuration option in ldap.conf and no "host" option.

Unfortunatly, the module fails silently without indicating the problem
(A syslog message would have been helpful, so the patch is incomplete).

Version-Release number of selected component (if applicable):
nss_ldap-217-1

How reproducible:
Always

Steps to Reproduce:
1. Use no "host" line in ldap.conf, only uri
2. Try to authenticate via pam_ldap when not having a SRV entry in DNS
3. Authentication will fail
    

Actual Results:  Authentication fails, or even worse (if SRV Entry
exists in DNS but points to wrong DNS server): authentication against
wrong server and thus possibly a security problem. (somebody feeling
like sending this to bugtraq ;-)  )

Expected Results:  Authentication should succeed against the server
named in the "uri" config line.

Additional info:

Comment 1 Chris Hills 2005-01-18 09:30:32 UTC
This affects x86_64 too.

Comment 2 Matthew Miller 2005-04-26 16:39:44 UTC
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.

Comment 3 John Thacker 2006-10-25 20:35:16 UTC
Closing per lack of response.  Also note that FC1 and FC2 are no longer
supported even by Fedora Legacy.  If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy.  If it still occurs on FC5 or FC6,
please reopen and assign to the correct version.


Note You need to log in before you can comment on or make changes to this bug.