Red Hat Bugzilla – Bug 240344
nss_ldap fails authenticated bind to OpenLDAP when using URI directive and ACL on userPassword attribute
Last modified: 2008-05-01 11:38:07 EDT
Description of problem:
When specifying the LDAP server host name in a URI format in the /etc/ldap.conf
configuration file when ACLs restrict reading of the userPassword attribute,
RHEL 3.8 hosts fail to bind properly to OpenLDAP to obtain the userPassword
attribute and LDAP logins fail.
The workaround is to use the deprecated host directive.
ACL in question:
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self write
by * read
Enabling and disabling TLS/SSL had no effect on the outcome.
Version-Release number of selected component (if applicable):
- RHEL 3.8
Also tested with OpenLDAP 2.3.34 clients with SAME results. The ldapsearch and
other OpenLDAP utilities are unaffected by this bug.
Steps to Reproduce:
1. configure LDAP directory with above referenced ACL on userPassword attribute
2. configure host to authenticate via configured directory using URI directive
3. restart nscd and attempt password authentication via console or secure shell
- Failed login, user unknown/bad password.
- Successful login.
I believe this is specific to some internal Redhat modification of the
authentication process since this bug does not exist on RHEL 2.1, or CentOS
More available upon request.
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.