|
Bug ID
|
6541095
|
|
Synopsis
|
login denied when CA is expired and authentication method is set to "NS_LDAP_AUTH=tls:simple;simple
|
|
State
|
10-Fix Delivered (Fix available in build)
|
|
Category:Subcategory
|
ldap:switch
|
|
Keywords
|
AuthenticationMethod | CA | denied | expired | login | rtiq_regression | tls:simple
|
|
Responsible Engineer
|
Milan Jurik
|
|
Reported Against
|
|
|
Duplicate Of
|
|
|
Introduced In
|
solaris_nevada
|
|
Commit to Fix
|
snv_67
|
|
Fixed In
|
snv_67
|
|
Release Fixed
|
solaris_nevada(snv_67)
,
solaris_10u5(s10u5_06) (Bug ID:2156072)
|
|
Related Bugs
|
6237466
|
|
Submit Date
|
30-March-2007
|
|
Last Update Date
|
20-June-2007
|
|
Description
|
Native ldap client that use pam_ldap to authenicate users deny users login access when the CA is expired, but the authentication method in the profile is set to "NS_LDAP_AUTH= tls:simple;simple". Since you are allowed to set multiple authentication method expectations are that if the first method fails it would fail over to the next method specified. In this case it should fail over and simple authentication and authenticate the user. See comment section for a test case.
The proxyagent bind fails with TLS and does fail over to simple that works ok. The problem is that pam_ldap never tries to bind with the user as simple authenication.
|
|
Work Around
|
add a attribute "serviceAuthenticationMethod" to the profile to have pam_ldap only use simple authenitication. This work around will allow users to login.
ex.
serviceAuthenticationMethod: pam_ldap:simple
|
|
Comments
|
N/A
|
