Bug 58765 - nss_ldap broken by openldap-2.0.21 update
Summary: nss_ldap broken by openldap-2.0.21 update
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nss_ldap   
(Show other bugs)
Version: 7.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-01-24 06:59 UTC by Ian Prowell
Modified: 2007-04-18 16:39 UTC (History)
1 user (show)

Fixed In Version: FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-07 23:30:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ian Prowell 2002-01-24 06:59:09 UTC 
Description of Problem:


Version-Release number of selected component (if applicable):
172-2

How Reproducible:
Easy

Steps to Reproduce:
1. Setup LDAP authentication using SSL
2. Upgrade OpenLDAP to openldap 2.0.21
3. Restart slapd
4. Try to log in

Actual Results:
Cannot log in.

Expected Results:
Should be able to log in.

Additional Information:
A recompile and reinstall of nss_ldap 172-2 source RPM fixed the problem
Comment 1 Ian Prowell 2002-01-24 17:45:31 UTC 
Additionally if the machine is authenticating against itself the host values in
/etc/ldap.conf have to be changed to a fully qualified name.  Specifying
localhost as the ldap host it does not work.
Comment 2 Nalin Dahyabhai 2002-01-25 17:15:10 UTC 
Are you using TLS or SSL to connect to the host?  New versions of libldap
perform the certificate name check, while earlier versions didn't.  The effect
is that the host name you use to connect to the host needs to be the same as the
one in the certificate the server presents to clients.
Comment 3 Ian Prowell 2002-01-25 18:50:46 UTC 
I have setup my nss_ldap using SSL.  Now it makes sense why I had to use the
canonical hostname in /etc/ldap.conf.  What prompted me to recompile nss_ldap
was the following message in /var/log/messages:

Jan 23 16:33:04 blacksun sshd[6379]: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS)
Unknown error

This prevented even machines that were using the canonical hostname in
/etc/ldap.conf from authenticating against the LDAP server using SSL.  Once
nss_ldap was recompiled and reinstalled on client machines authentication worked
fine.
Comment 4 Nalin Dahyabhai 2002-01-25 19:14:30 UTC 
Odd.  That should have actually worked better (the older libraries would give
you an unknown option error, IIRC).
Comment 5 Bill Nottingham 2006-08-07 20:03:49 UTC 
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
Comment 6 Ian Prowell 2006-08-07 22:57:00 UTC 
In Fedora Core you are now prompted to copy the remote ldap servers public cert
to the client machine when using system-config-auth.  SSL is now much better
supported by default.
Comment 7 Bill Nottingham 2006-08-07 23:30:20 UTC 
OK, closing.
Note You need to log in before you can comment on or make changes to this bug.