Description of Problem: Version-Release number of selected component (if applicable): 172-2 How Reproducible: Easy Steps to Reproduce: 1. Setup LDAP authentication using SSL 2. Upgrade OpenLDAP to openldap 2.0.21 3. Restart slapd 4. Try to log in Actual Results: Cannot log in. Expected Results: Should be able to log in. Additional Information: A recompile and reinstall of nss_ldap 172-2 source RPM fixed the problem
Additionally if the machine is authenticating against itself the host values in /etc/ldap.conf have to be changed to a fully qualified name. Specifying localhost as the ldap host it does not work.
Are you using TLS or SSL to connect to the host? New versions of libldap perform the certificate name check, while earlier versions didn't. The effect is that the host name you use to connect to the host needs to be the same as the one in the certificate the server presents to clients.
I have setup my nss_ldap using SSL. Now it makes sense why I had to use the canonical hostname in /etc/ldap.conf. What prompted me to recompile nss_ldap was the following message in /var/log/messages: Jan 23 16:33:04 blacksun sshd[6379]: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS) Unknown error This prevented even machines that were using the canonical hostname in /etc/ldap.conf from authenticating against the LDAP server using SSL. Once nss_ldap was recompiled and reinstalled on client machines authentication worked fine.
Odd. That should have actually worked better (the older libraries would give you an unknown option error, IIRC).
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Red Hat apologizes that these issues have not been resolved yet. We do want to make sure that no important bugs slip through the cracks. Please check if this issue is still present in a current Fedora Core release. If so, please change the product and version to match, and check the box indicating that the requested information has been provided. Note that any bug still open against Red Hat Linux on will be closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
In Fedora Core you are now prompted to copy the remote ldap servers public cert to the client machine when using system-config-auth. SSL is now much better supported by default.
OK, closing.