Created attachment 609499 [details] sealert explaining that useradd cannot connect to the ldap port Description of problem: ldap is configured useradd appears to "hang", but merely takes a very long time before giving up Version-Release number of selected component (if applicable): shadow-utils-4.1.4.3-13.fc16.i686 selinux-policy-3.10.0-91.fc16.noarch How reproducible: very Steps to Reproduce: 1. set up ldap, on the current host 2. sudo groupadd -g 999 anyname 3. sudo useradd -g anyname anyname 4. wait five minutes 5. done (tail /etc/passwd) Actual results: after a delay of ~5 min the user is created. Expected results: the local user 'anyname' should be created quickly or disapproved quickly. Additional info: tcpdump shows that no traffic is occurring to port ldap (389) or ldaps (636) /var/log/messages indicates selinux issues ges. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 Sep 3 18:16:38 wrinklie setroubleshoot: SELinux is preventing /usr/sbin/useradd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 Sep 3 18:16:38 wrinklie setroubleshoot: SELinux is preventing /usr/sbin/useradd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 Sep 3 18:16:42 wrinklie setroubleshoot: SELinux is preventing /usr/sbin/useradd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 Sep 3 18:16:50 wrinklie setroubleshoot: SELinux is preventing /usr/sbin/useradd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 Sep 3 18:17:06 wrinklie setroubleshoot: SELinux is preventing /usr/sbin/useradd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l b8f9d9a8-7721-4595-9566-3daabe995c49 The sealert output is included nearby. Related issues which don't quite seem relevant are (were) 466794 useradd -r loops when talking to ldap server CLOSED WONTFIX 511813 useradd -r loops when talking to ldap server CLOSED ERRATA
And the alert tells you what to do. #This avc can be allowed using one of the these booleans: # authlogin_nsswitch_use_ldap, allow_ypbind If you execute in your terminal # setsebool -P authlogin_nsswitch_use_ldap 1 will allow it.