Bug 582703 - unable to setup LDAP server with ldap
unable to setup LDAP server with ldap
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2010-04-15 11:38 EDT by Peter Bojtos
Modified: 2010-05-27 11:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-04-15 11:46:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter Bojtos 2010-04-15 11:38:57 EDT
Description of problem:
We have been using LDAP server without TLS for authenticating our users for a long time successfully. Now system-config-authentication needs TLS or ldaps.

Version-Release number of selected component (if applicable):

How reproducible:
setup an LDAP server without security

Steps to Reproduce:
1. run system-config-authentication
2. setup an LDAP server with ldap (and not ldaps) without checking TLS
3. setup Authentication Method: LDAP password
Actual results:
system-config-authentication tell: "You must provide ldaps:// server address or use TLS for LDAP…"

Expected results:
I want to be able to use LDAP accounts without TLS or ldaps.

Additional info:
Comment 1 Tomas Mraz 2010-04-15 11:46:15 EDT
This practice is insecure although I can understand that on internal networks with low security requirements it might be acceptable. We use SSSD instead of the pam_ldap for authentication now though and SSSD does not support LDAP authentication against non-tls/ldaps servers.

You can still use the command line UI for that if you use the --disablesssd --disablesssdauth options.
Comment 2 Peter Bojtos 2010-05-27 11:17:45 EDT
We've tried to use the authconfig-tui tool to set up the LDAP authentication server, but it still doesn't work. The /var/log/secure tells 

May 27 17:06:49 dirac sshd[25386]: pam_sss(sshd:auth): received for user ptr: 4 (System error)

So it seems, that the LDAP server is reachable and it starts to query the informations about the user, but it fails.

PS. The authconfig-tui accepts the LDAP server without ssl/tls when I don't use 
--disablesssd --disablesssdauth options.
Comment 3 Tomas Mraz 2010-05-27 11:32:23 EDT
You can edit /etc/sysconfig/authconfig FORCELEGACY=yes.
Then you can rerun the authconfig and it should use pam_ldap instead of pam_sss.

Note You need to log in before you can comment on or make changes to this bug.