Red Hat Bugzilla – Bug 58765
nss_ldap broken by openldap-2.0.21 update
Last modified: 2007-04-18 12:39:10 EDT
Description of Problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup LDAP authentication using SSL
2. Upgrade OpenLDAP to openldap 2.0.21
3. Restart slapd
4. Try to log in
Cannot log in.
Should be able to log in.
A recompile and reinstall of nss_ldap 172-2 source RPM fixed the problem
Additionally if the machine is authenticating against itself the host values in
/etc/ldap.conf have to be changed to a fully qualified name. Specifying
localhost as the ldap host it does not work.
Are you using TLS or SSL to connect to the host? New versions of libldap
perform the certificate name check, while earlier versions didn't. The effect
is that the host name you use to connect to the host needs to be the same as the
one in the certificate the server presents to clients.
I have setup my nss_ldap using SSL. Now it makes sense why I had to use the
canonical hostname in /etc/ldap.conf. What prompted me to recompile nss_ldap
was the following message in /var/log/messages:
Jan 23 16:33:04 blacksun sshd: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS)
This prevented even machines that were using the canonical hostname in
/etc/ldap.conf from authenticating against the LDAP server using SSL. Once
nss_ldap was recompiled and reinstalled on client machines authentication worked
Odd. That should have actually worked better (the older libraries would give
you an unknown option error, IIRC).
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
In Fedora Core you are now prompted to copy the remote ldap servers public cert
to the client machine when using system-config-auth. SSL is now much better
supported by default.