Bug 154805 - getent works but /bin/su - username fails when nss_ldap is configured to utilize SSL with and OpenLDAP server
Summary: getent works but /bin/su - username fails when nss_ldap is configured to util...
Alias: None
Product: Fedora
Classification: Fedora
Component: nss_ldap
Version: 3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-04-14 10:54 UTC by Jon Thompson
Modified: 2008-02-07 15:40 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-02-07 15:40:33 UTC
Type: ---

Attachments (Terms of Use)

Description Jon Thompson 2005-04-14 10:54:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
When I have nss_ldap configured to use clear text both getent and /bin/su - allow me to see the users or login as the user.  However, whenever I change the configuration to use SSL with my OpenLDAP server getent continues to work, but /bin/su - returns incorrect password and normal login for LDAP-based users fails.  The log files report and inablility to bind to the LDAP server:  "pam_ldap: ldap_simple_bind Can't contact LDAP server"  From another post I have tried upgrading to the latest nss_ldap available in the development tree and that does not work either. Actually, that breaks both getent and login.  However, it works correctly in RHEL3 and not in CentOS 4.0.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. system-config-authentication; use ldap for both user info and auth - no MD5
2. configure /etc/ldap.conf to use openldap ssl (ssl on) and port 636
3. /bin/su - username

Actual Results:  su: incorrect password

Expected Results:  It shoudl have logged me in as the user

Additional info:

Comment 1 Oliver Schulze L. 2005-09-22 08:23:28 UTC
Have you configured correctly openldap ssl certificates?
Is openldap running after executing authconfig?
Please run 'service ldap restart' twice and check that no error is reported

Comment 2 Matthew Miller 2006-07-10 20:27:25 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!

Comment 3 petrosyan 2008-02-07 15:40:33 UTC
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release, please reopen this bug and assign it to the
corresponding Fedora version.

Note You need to log in before you can comment on or make changes to this bug.