Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 58765

Summary: nss_ldap broken by openldap-2.0.21 update
Product: [Retired] Red Hat Linux Reporter: Ian Prowell <rhbug>
Component: nss_ldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Aaron Brown <abrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: notting
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: FC5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-07 23:30:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ian Prowell 2002-01-24 06:59:09 UTC 
Description of Problem:


Version-Release number of selected component (if applicable):
172-2

How Reproducible:
Easy

Steps to Reproduce:
1. Setup LDAP authentication using SSL
2. Upgrade OpenLDAP to openldap 2.0.21
3. Restart slapd
4. Try to log in

Actual Results:
Cannot log in.

Expected Results:
Should be able to log in.

Additional Information:
A recompile and reinstall of nss_ldap 172-2 source RPM fixed the problem
Comment 1 Ian Prowell 2002-01-24 17:45:31 UTC 
Additionally if the machine is authenticating against itself the host values in
/etc/ldap.conf have to be changed to a fully qualified name.  Specifying
localhost as the ldap host it does not work.
Comment 2 Nalin Dahyabhai 2002-01-25 17:15:10 UTC 
Are you using TLS or SSL to connect to the host?  New versions of libldap
perform the certificate name check, while earlier versions didn't.  The effect
is that the host name you use to connect to the host needs to be the same as the
one in the certificate the server presents to clients.
Comment 3 Ian Prowell 2002-01-25 18:50:46 UTC 
I have setup my nss_ldap using SSL.  Now it makes sense why I had to use the
canonical hostname in /etc/ldap.conf.  What prompted me to recompile nss_ldap
was the following message in /var/log/messages:

Jan 23 16:33:04 blacksun sshd[6379]: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS)
Unknown error

This prevented even machines that were using the canonical hostname in
/etc/ldap.conf from authenticating against the LDAP server using SSL.  Once
nss_ldap was recompiled and reinstalled on client machines authentication worked
fine.
Comment 4 Nalin Dahyabhai 2002-01-25 19:14:30 UTC 
Odd.  That should have actually worked better (the older libraries would give
you an unknown option error, IIRC).
Comment 5 Bill Nottingham 2006-08-07 20:03:49 UTC 
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
Comment 6 Ian Prowell 2006-08-07 22:57:00 UTC 
In Fedora Core you are now prompted to copy the remote ldap servers public cert
to the client machine when using system-config-auth.  SSL is now much better
supported by default.
Comment 7 Bill Nottingham 2006-08-07 23:30:20 UTC 
OK, closing.