Bug 442272 - login via gdm fails when using ldap authentication
login via gdm fails when using ldap authentication
Product: Fedora
Classification: Fedora
Component: nss_ldap (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-04-13 13:31 EDT by Carl Roth
Modified: 2008-08-02 19:40 EDT (History)
1 user (show)

See Also:
Fixed In Version: nss_ldap-259-3.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-10 09:43:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/etc/ldap.conf (9.31 KB, text/plain)
2008-04-15 11:56 EDT, Carl Roth
no flags Details
/etc/nsswitch.conf (1.77 KB, text/plain)
2008-04-15 11:56 EDT, Carl Roth
no flags Details

  None (edit)
Description Carl Roth 2008-04-13 13:31:03 EDT
Description of problem:

KDE sessions do not login properly under some configurations that use ldap user
authentication.  Specifically, if the ldap host in /etc/ldap.conf is configured
using a FQDN instead of an IP address, the following is reported in the syslog:

Apr  7 15:09:57 somehost dbus: nss_ldap: failed to bind to LDAP server
ldap://ldap.example.com: Can't contact LDAP server
Apr  7 15:09:57 somehost dbus: nss_ldap: could not search LDAP server - Server
is unavailable

If I set the ldap client configuration in /etc/ldap.conf to use a fully-resolved
IP address, then KDE is able log users in without a problem.

Version-Release number of selected component (if applicable):

I'm not sure which package this is associated with.  I'm running a F9 system
(8.93) with rawhide components.  Some that may be of interest:


How reproducible:


Steps to Reproduce:
1. Configure the system with ldap user authentication
2. Configure the ldap authentication source to use a FQDN instead of an IP address
3. Create a non-local user (only exists in LDAP)
4. Try to log in
Actual results:

The login stalls after a few minutes.  The syslog reports nss_ldap errors, and
the desktop login messages start to report dbus connection failures.

Expected results:

Additional info:

On this same system, I verified that local users (not in LDAP) are not affected.
Comment 1 Nalin Dahyabhai 2008-04-15 11:27:55 EDT
Are you using SSL?  If so, what does the server's certificate contain?  Can you
attach your /etc/ldap.conf and /etc/nsswitch.conf files?
Comment 2 Carl Roth 2008-04-15 11:56:20 EDT
Created attachment 302481 [details]
Comment 3 Carl Roth 2008-04-15 11:56:36 EDT
Created attachment 302482 [details]
Comment 4 Carl Roth 2008-04-15 12:01:42 EDT
The ldap server on my LAN is not using SSL, and allows unauthenticated queries
from the local subnet.  That is, I can run queries like

  ldapsearch -x -b ou=People,dc=ursus,dc=net 'uid=someuser'

without entering a password or bind DN.  Slapd has other ACLs (with DNs and
passwords) also for things like password change.

The 'host' entry in ldap.conf is the only difference between the working- and
non-working configurations.  In the working configuration, 'host' spells out an
IP address.  In the non-working configuration, 'host' spells out an FQDN.
Comment 5 Nalin Dahyabhai 2008-04-15 15:48:03 EDT
Hmm, so that's a "no" on SSL then. (This looked like a certificate subject name
mismatch, but no joy.)  It doesn't look like it's KDE-specific -- something
weird's going on inside of gdm, but I haven't chased it beyond that level yet.
Comment 6 Nalin Dahyabhai 2008-04-16 11:21:39 EDT
Can you check if the packages built at
http://koji.fedoraproject.org/koji/buildinfo?buildID=46358 make this work as
expected?  (It's a pretty nasty hack, but as we're running out of time for F9 it
might be all we have time to do.)
Comment 7 Bug Zapper 2008-05-14 05:22:59 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 8 Brennan Ashton 2008-06-07 22:30:29 EDT
Reporter, could you please reply to the previous question? If you won't reply in
one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you.
Comment 9 Carl Roth 2008-06-10 09:43:15 EDT
This appears to work fine now with when I revert the ldap server to a FQDN
instead of an IP address.  At least, the initial login works, which is where I
saw the issue.  I'll report back if I seen any other issues, but AFAIK this is

Thanks, and sorry for the delay.

Note You need to log in before you can comment on or make changes to this bug.