Hide Forgot
Created attachment 486124 [details] Reproducer Description of problem: When SSL/TLS is enabled in nss-pam-ldapd and service nslcd is not started in debug mode (i.e. with option -d), then SSL/TLS does not work. In debug mode it works fine. Version-Release number of selected component (if applicable): nss-pam-ldapd-0.7.5-3.el6 How reproducible: Steps to Reproduce: 1. Install beakerlib 2. Execute attached test: bash runtest.sh + test will setup slapd listening on both ldap:// and ldaps:// + configure nss-pam-ldapd to use TLS + query server via getent Actual results: Query fails (exit code 2). Expected results: Query pass (exit code 0). Additional info: If 'service nslcd start' is replaced by '/usr/sbin/nslcd', it still does not work. But if '/usr/sbin/nslcd -d' is used, then query passes.
Version-Release number of selected component (if applicable): nss-pam-ldapd-0.7.7-1.fc14.i686
The test appears to be setting permissions on the CA certificate (/etc/openldap/cacerts/cacert.pem) to ldap:ldap, 0400. The nslcd service is configured to run as nslcd:ldap, which can't read files with those permissions. A failure to verify the server's certificate with "tls_reqcert demand" should cause the connection attempt to fail. So this appears to be a configuration error.
@Nalin not for me, my cacert is 644, besides if nslcd ran from command line it still reads conf file and switches over to the user defined there on f16 version nss-pam-ldapd-0.7.13-7.fc16.x86_64 suffers from identical failure but it's SElinux fault
(In reply to comment #3) > not for me, my cacert is 644, besides if nslcd ran from command line it still > reads conf file and switches over to the user defined there Is this with the F14 package, or the F16 package? > on f16 version nss-pam-ldapd-0.7.13-7.fc16.x86_64 suffers from identical > failure but it's SElinux fault How so?
Please provide AVC messages.
*** Bug 784976 has been marked as a duplicate of this bug. ***
how does boolean authlogin_nsswitch_use_ldap matter here and to nslcd? is it explained somewhere amongst man pages? it seems like a fix?
authlogin_nsswitch_use_ldap means the getpw call is going directly to ldap, versus using sssd to get to the ldap server. Would nslcd need to contact ldap outside of using getpw calls?
960b0d607692cc34949e439c585955fc5ac46d80 fixes this in Rawhide, Needs to be back ported.
no sssd on my f16 and this boolean when true indeed fixes the problem with nslcd, although audit2why mentions of this one - allow_ypbind - too, nslcd itself a very much standard installation/configuration
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.