Description of problem: When specifying the LDAP server host name in a URI format in the /etc/ldap.conf configuration file when ACLs restrict reading of the userPassword attribute, RHEL 3.8 hosts fail to bind properly to OpenLDAP to obtain the userPassword attribute and LDAP logins fail. The workaround is to use the deprecated host directive. Broken: URI ldaps://ldap.server.example.com Works: host ldap.server.example.com port 636 ACL in question: access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by * read Enabling and disabling TLS/SSL had no effect on the outcome. Version-Release number of selected component (if applicable): - RHEL 3.8 - nss_ldap-207-17 - 2.4.21-47.0.1.ELsmp - openldap-2.0.27-20 Also tested with OpenLDAP 2.3.34 clients with SAME results. The ldapsearch and other OpenLDAP utilities are unaffected by this bug. How reproducible: Easily. Steps to Reproduce: 1. configure LDAP directory with above referenced ACL on userPassword attribute 2. configure host to authenticate via configured directory using URI directive 3. restart nscd and attempt password authentication via console or secure shell Actual results: - Failed login, user unknown/bad password. Expected results: - Successful login. Additional info: I believe this is specific to some internal Redhat modification of the authentication process since this bug does not exist on RHEL 2.1, or CentOS 2.*/3.*/4.* hosts. More available upon request.
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.