Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 186026 - sys-auth/pam_ldap-183 tls setup breaks su
Summary: sys-auth/pam_ldap-183 tls setup breaks su
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo LDAP project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-20 21:07 UTC by Simon Gao
Modified: 2007-09-18 23:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Gao 2007-07-20 21:07:54 UTC 
After setting "ssl start_tls" in /etc/ldap.conf, one can no longer run "su" as root or ordinary user. Also console login will fail. 

Remote ssh login as ordinary user (in ldap directory) still works. But can't su to root or any other users. 

Another problem, automount can't get mount maps from LDAP.

Reproducible: Always

Steps to Reproduce:
1.Configure /etc/openldap/slapd.conf by setting "security tls=1" and start slapd 
daemon only listens on regular ldap port 389.
2. Run "getent passwd|group|shadow" would failed before setting "ssl start_tls".
"su" works fine.
3.Now enable "ssl start_tls" and "tls_cacertfile". Install a CA certificate.
4. Run same commands as step 2. User/Group information will be pulled from LDAP server. But can't su anymore even as root user. Root user can no longer login from console.


Expected Results:  
Before and after enabling "tls" in /etc/ldap.conf, su should work without any issue. 

For similar setup, CentOS 5.0 does not has such problem.

pam_ldap version:

sys-auth/pam_ldap-183


Gentoo environment:

Portage 2.1.2.9 (default-linux/amd64/2006.1, gcc-4.1.2, glibc-2.5-r4, 2.6.18-xenU x86_64)
=================================================================
System uname: 2.6.18-xenU x86_64 Intel(R) Xeon(TM) CPU 3.00GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Fri, 20 Jul 2007 05:30:10 +0000
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.61
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=nocona -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 berkdb bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 isdnlog libg++ mbox midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl ppds pppd python readline reflection session spl ssl tcpd truetype-fonts type1-fonts unicode xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTDIR_OVERLAY
Comment 1 Simon Gao 2007-07-22 07:41:44 UTC 
Openldap, pam_ldap, nss_ldap are compiled as follow:

[ebuild   R   ] net-nds/openldap-2.3.35-r1  USE="berkdb crypt debug ipv6 kerberos overlays perl readline samba sasl ssl tcpd -gdbm -minimal -odbc (-selinux) -slp -smbkrb5passwd" 0 kB
[ebuild   R   ] sys-auth/pam_ldap-183  USE="ssl -sasl" 0 kB
[ebuild   R   ] sys-auth/nss_ldap-253  USE="-debug -sasl" 0 kB


/etc/ldap.conf:
================================================================
uri   ldap://ldap1.example.com
base  dc=example,dc=com

ldap_version 3
ssl on
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/cacert.pem

scope sub
bind_policy soft

pam_password exop

nss_base_passwd ou=people,dc=example,dc=com
nss_base_shadow ou=people,dc=example,dc=com
nss_base_group  ou=groups,dc=example,dc=com
====================================================================

When commenting out "ssl on" and "ssl start_tls", su works fine.

Simon
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-07-24 07:58:05 UTC 
Remove 'ssl on' from /etc/ldap.conf
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-09-18 23:22:15 UTC 
No response from user, closing invalid as it is a user configuration error.