Bug 582703 - unable to setup LDAP server with ldap
Summary: unable to setup LDAP server with ldap
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig
Version: 13
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-15 15:38 UTC by Peter Bojtos
Modified: 2010-05-27 15:32 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-04-15 15:46:15 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Peter Bojtos 2010-04-15 15:38:57 UTC
Description of problem:
We have been using LDAP server without TLS for authenticating our users for a long time successfully. Now system-config-authentication needs TLS or ldaps.

Version-Release number of selected component (if applicable):
authconfig-6.1.3-1.fc13.x86_64

How reproducible:
setup an LDAP server without security

Steps to Reproduce:
1. run system-config-authentication
2. setup an LDAP server with ldap (and not ldaps) without checking TLS
3. setup Authentication Method: LDAP password
  
Actual results:
system-config-authentication tell: "You must provide ldaps:// server address or use TLS for LDAP…"

Expected results:
I want to be able to use LDAP accounts without TLS or ldaps.

Additional info:

Comment 1 Tomas Mraz 2010-04-15 15:46:15 UTC
This practice is insecure although I can understand that on internal networks with low security requirements it might be acceptable. We use SSSD instead of the pam_ldap for authentication now though and SSSD does not support LDAP authentication against non-tls/ldaps servers.

You can still use the command line UI for that if you use the --disablesssd --disablesssdauth options.

Comment 2 Peter Bojtos 2010-05-27 15:17:45 UTC
We've tried to use the authconfig-tui tool to set up the LDAP authentication server, but it still doesn't work. The /var/log/secure tells 

May 27 17:06:49 dirac sshd[25386]: pam_sss(sshd:auth): received for user ptr: 4 (System error)

So it seems, that the LDAP server is reachable and it starts to query the informations about the user, but it fails.

PS. The authconfig-tui accepts the LDAP server without ssl/tls when I don't use 
--disablesssd --disablesssdauth options.

Comment 3 Tomas Mraz 2010-05-27 15:32:23 UTC
You can edit /etc/sysconfig/authconfig FORCELEGACY=yes.
Then you can rerun the authconfig and it should use pam_ldap instead of pam_sss.


Note You need to log in before you can comment on or make changes to this bug.