Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 154805

Summary: getent works but /bin/su - username fails when nss_ldap is configured to utilize SSL with and OpenLDAP server
Product: [Fedora] Fedora Reporter: Jon Thompson <jonathan.thompson>
Component: nss_ldapAssignee: Nalin Dahyabhai <nalin>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: mattdm, oliver
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-07 15:40:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jon Thompson 2005-04-14 10:54:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
When I have nss_ldap configured to use clear text both getent and /bin/su - allow me to see the users or login as the user.  However, whenever I change the configuration to use SSL with my OpenLDAP server getent continues to work, but /bin/su - returns incorrect password and normal login for LDAP-based users fails.  The log files report and inablility to bind to the LDAP server:  "pam_ldap: ldap_simple_bind Can't contact LDAP server"  From another post I have tried upgrading to the latest nss_ldap available in the development tree and that does not work either. Actually, that breaks both getent and login.  However, it works correctly in RHEL3 and not in CentOS 4.0.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. system-config-authentication; use ldap for both user info and auth - no MD5
2. configure /etc/ldap.conf to use openldap ssl (ssl on) and port 636
3. /bin/su - username

Actual Results:  su: incorrect password

Expected Results:  It shoudl have logged me in as the user

Additional info:

Comment 1 Oliver Schulze L. 2005-09-22 08:23:28 UTC
Have you configured correctly openldap ssl certificates?
Is openldap running after executing authconfig?
Please run 'service ldap restart' twice and check that no error is reported

Comment 2 Matthew Miller 2006-07-10 20:27:25 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!

Comment 3 petrosyan 2008-02-07 15:40:33 UTC
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release, please reopen this bug and assign it to the
corresponding Fedora version.