Hide Forgot
Description of problem: nss-pam-ldapd not work with certificates in nss db. /etc/nslcd.conf set up with tls_cacertdir /tmp/pam_ldap-nssdb instead of typical tls_cacertdir /etc/openldap/cacerts (using openssl) Version-Release number of selected component (if applicable): nss-pam-ldapd-0.7.5-14 How reproducible: always Steps to Reproduce: Run script in attachement (tls.sh from script.tar.gz) or do this steps 1.create nss db and put CA certificate to it mkdir /tmp/pam_ldap-nssdb && certutil -d /tmp/pam_ldap-nssdb -A -n 'CA cert' -t CT,, -a -i cacert.pem 2.authconfig --enableldap --enableldaptls --enableldapauth --updateall \ --ldapbasedn dc=my-domain,dc=com --ldapserver ldap://my-domain.com 3.setup /etc/nslcd.conf with: ssl start_tls tls_reqcert demand tls_cacertdir /tmp/pam_ldap-nssdb binddn cn=Manager,dc=my-domain,dc=com bindpw x service nslcd restart & sleep 5 4.setup pam_ldap with sslpath instead of tls_cacertdir in /etc/pam_ldap sslpath /tmp/pam_ldap-nssdb 5. run getent passwd ldapuser Actual results: fail Expected results: pass with ldapuser:{SSHA}A41wdK4LTqBbyqqeWxHARusxQClMYwTy:1001:1000:ldapuser:/home/ldapuser:/bin/bash Additional info: ldapsearch with nss db and using tls work (ldapsearch -H ldap://my-domain.com -x -ZZ '*') getent passwd ldapuser work after change in /etc/nslcd.conf with tls_cacertdir /etc/openldap/cacerts/ and service nslcd restart
Created attachment 541741 [details] reproduce test
From openldap library perspective all we should do is set the CACERTDIR to where the NSS database is, that's what ldapsearch does as well. It indeed seems like a nss-pam-ldapd bug at first sight, although I still need to do more investigation.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative.
Hi David, could it be because of SELinux? /tmp/ is not common place for certificates.
Hi Karel, I think that is not because selinux. I haven't seen any avc messages. In /var/log/messages is: Jul 31 02:45:31 rhel62 nslcd[3280]: [8b4567] failed to bind to LDAP server ldap://my-domain.com: Connect error Jul 31 02:45:31 rhel62 nslcd[3280]: [8b4567] no available LDAP server found In /var/log/slpad.log I see: Jul 31 02:45:31 rhel62 slapd[3118]: slap_listener_activate(7): Jul 31 02:45:31 rhel62 slapd[3118]: slap_listener_activate(7): Jul 31 02:45:31 rhel62 slapd[3118]: >>> slap_listener(ldap:///) Jul 31 02:45:31 rhel62 slapd[3118]: >>> slap_listener(ldap:///) Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 fd=14 ACCEPT from IP=127.0.0.1:508 61 (IP=0.0.0.0:389) Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 fd=14 ACCEPT from IP=127.0.0.1:508 61 (IP=0.0.0.0:389) Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on i d=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on i d=1010 Jul 31 02:45:31 rhel62 slapd[3118]: op tag 0x77, time 1343717131 Jul 31 02:45:31 rhel62 slapd[3118]: op tag 0x77, time 1343717131 Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 do_extended Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 do_extended Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 EXT oid=1.3.6.1.4.1.1466.2003 7 Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 EXT oid=1.3.6.1.4.1.1466.2003 7 Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 STARTTLS Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 STARTTLS Jul 31 02:45:31 rhel62 slapd[3118]: send_ldap_extended: err=0 oid= len=0 Jul 31 02:45:31 rhel62 slapd[3118]: send_ldap_extended: err=0 oid= len=0 Jul 31 02:45:31 rhel62 slapd[3118]: send_ldap_response: msgid=1 tag=120 err=0 Jul 31 02:45:31 rhel62 slapd[3118]: send_ldap_response: msgid=1 tag=120 err=0 Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 RESULT oid= err=0 text= Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 op=0 RESULT oid= err=0 text= Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on id=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on id=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_get(14): got connid=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on id=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): checking for input on id=1010 Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): TLS accept failure error=-1 id=1010, closing Jul 31 02:45:31 rhel62 slapd[3118]: connection_read(14): TLS accept failure error=-1 id=1010, closing Jul 31 02:45:31 rhel62 slapd[3118]: connection_close: conn=1010 sd=14 Jul 31 02:45:31 rhel62 slapd[3118]: connection_close: conn=1010 sd=14 Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 fd=14 closed (TLS negotiation failure) Jul 31 02:45:31 rhel62 slapd[3118]: conn=1010 fd=14 closed (TLS negotiation failure)
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux.