Bug 240344 - nss_ldap fails authenticated bind to OpenLDAP when using URI directive and ACL on userPassword attribute
nss_ldap fails authenticated bind to OpenLDAP when using URI directive and AC...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: nss_ldap (Show other bugs)
3.8
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-16 12:43 EDT by Josh Miller
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-19 14:36:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Miller 2007-05-16 12:43:07 EDT
Description of problem:

When specifying the LDAP server host name in a URI format in the /etc/ldap.conf
configuration file when ACLs restrict reading of the userPassword attribute,
RHEL 3.8 hosts fail to bind properly to OpenLDAP to obtain the userPassword
attribute and LDAP logins fail.

The workaround is to use the deprecated host directive.

Broken:
URI ldaps://ldap.server.example.com

Works:
host ldap.server.example.com
port 636

ACL in question:
access to attrs=userPassword
  by self write
  by anonymous auth
  by * none
access to *
  by self write
  by * read

Enabling and disabling TLS/SSL had no effect on the outcome.

Version-Release number of selected component (if applicable):
- RHEL 3.8
- nss_ldap-207-17
- 2.4.21-47.0.1.ELsmp
- openldap-2.0.27-20

Also tested with OpenLDAP 2.3.34 clients with SAME results.  The ldapsearch and
other OpenLDAP utilities are unaffected by this bug.

How reproducible:

Easily.

Steps to Reproduce:
1. configure LDAP directory with above referenced ACL on userPassword attribute
2. configure host to authenticate via configured directory using URI directive
3. restart nscd and attempt password authentication via console or secure shell
  
Actual results:
- Failed login, user unknown/bad password.

Expected results:
- Successful login.

Additional info:

I believe this is specific to some internal Redhat modification of the
authentication process since this bug does not exist on RHEL 2.1, or CentOS
2.*/3.*/4.* hosts.

More available upon request.
Comment 1 RHEL Product and Program Management 2007-10-19 14:36:43 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.