Red Hat Bugzilla – Bug 135228
pam_ldap does not work without "host" entry in ldap.conf
Last modified: 2008-08-02 19:40:33 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113 Description of problem: The version of pam_ldap included with nss_ldap-217-1 has been patched to misinterpret the ldap.conf file. If no "host" entry has been specified in ldap.conf, pam_ldap tries to do a DNS SRV lookup of the LDAP service. If this cannot be found, authentication fails. However, this breaks down if one uses a LDAP-URI using the "uri" configuration option in ldap.conf and no "host" option. Unfortunatly, the module fails silently without indicating the problem (A syslog message would have been helpful, so the patch is incomplete). Version-Release number of selected component (if applicable): nss_ldap-217-1 How reproducible: Always Steps to Reproduce: 1. Use no "host" line in ldap.conf, only uri 2. Try to authenticate via pam_ldap when not having a SRV entry in DNS 3. Authentication will fail Actual Results: Authentication fails, or even worse (if SRV Entry exists in DNS but points to wrong DNS server): authentication against wrong server and thus possibly a security problem. (somebody feeling like sending this to bugtraq ;-) ) Expected Results: Authentication should succeed against the server named in the "uri" config line. Additional info:
This affects x86_64 too.
Fedora Core 2 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC3 updates or in the FC4 test release, reopen and change the version to match.
Closing per lack of response. Also note that FC1 and FC2 are no longer supported even by Fedora Legacy. If this still occurs on FC3 or FC4, please assign to that version and Fedora Legacy. If it still occurs on FC5 or FC6, please reopen and assign to the correct version.