RHEL 6 : LDAP BUG Tracking and Known issues for each version

LDAP Known issues and BugsThis is just a reference document for LDAP administrators who are looking for specific bugs and known issues addressed in version of RHEL6 release so far. And this just gives you the brief overview of the bug/known issue, but for the solution and work around details you should refer to the Red Hat official bug tracking report at https://bugzilla.redhat.com.

i have already posted LDAP configuration procedure in the following posts 

 

 

Open LDAP Bugs Fixed in RHEL 6.1

BZ#548475 – move openldap libraries from /usr/lib to /lib
BZ#613966 – Init script is working wrong if database recovery is needed
BZ#616554 – Mozilla NSS – support use of self signed CA certs as server certs
BZ#616558 – Mozilla NSS – delay token auth until needed
BZ#630637 – update list of modules in slapd.conf.bak
BZ#644399 – slapd init script gets stuck in an infinite loop
BZ#652814 – openldap should ignore files not in the openssl c_hash format in cacertdir
BZ#652816 – TLS_CACERTDIR takes precedence over TLS_CACERT
BZ#652817 – crash when TLS_CACERTDIR contains a subdirectory
BZ#652819 – improve SSL/TLS log messages
BZ#652823 – ldapsearch -Z hangs server if starttls fails
BZ#669845 – Default encryption strength dropped in switch to using NSS
BZ#669846 – some server certificates refused with inadequate type error
BZ#671553 – openldap can’t use TLS after a fork()
BZ#678105 – updated openldap breaks build of php-5.3.3-3.el6
BZ#680139 – Add symlinks into /usr/lib*/
BZ#684035 – NULL dereferences in openldap-nss-non-blocking.patch
BZ#685119 – openldap-servers upgrade hangs or do not upgrade the database
BZ#693716 – rpm -V fails when upgrading with openldap-devel installed
BZ#790913 – NSS_Init* functions are not thread safe
BZ#790914 – OpenLDAP 2.4.23 segfaults when using back-sql
BZ#790915 – matching wildcard hostnames in certificate Subject field does not work

 

Open LDAP Bugs Fixed in RHEL 6.2

BZ#717738
In a utility which uses both OpenLDAP and Mozilla NSS (Network Security Services) libraries, OpenLDAP validates TLS peer and the certificate is cached by Mozilla NSS library. The utility then sometimes terminated unexpectedly on the NSS_Shutdown() function call because the client certificate was not freed and the cache could not be destroyed. With this update, the peer certificate is freed in OpenLDAP library after certificate validation is finished, all cache entries can now be deleted properly, and the NSS_Shutdown() call now succeeds as expected.

BZ#726984
When a program used the OpenLDAP library to securely connect to an LDAP server using SSL/TLS, while the server was using a certificate with a wildcarded common name (for example CN=*.example.com), the connection to the server failed. With this update, the library has been fixed to verify wildcard hostnames used in certificates correctly, and the connection to the server now succeeds if the wildcard common name matches the server name.

BZ#727533
Previously, if an OpenLDAP server was installed with an SQL back end, the server terminated unexpectedly after a few operations. An upstream patch, which updates data types for storing the length of the values by using the ODBC (Open Database Connectivity) interface, has been provided to address this issue. Now, the server no longer crashes when the SQL back end is used.

BZ#684810
The slapd-config(5) and ldap.conf(5) manual pages contained incorrect information about TLS settings. This update adds new TLS documentation relevant for the Mozilla NSS cryptographic library.

BZ#698921
When an LDIF (LDAP Data Interchange Format) input file was passed to the ldapadd utility or another openldap client tool, and the file was not terminated by a newline character, the client terminated unexpectedly. With this update, client utilities are able to properly handle such LDIF files, and the crashes no longer occur in the described scenario.

BZ#701227
When an LDIF (LDAP Data Interchange Format) input file was passed to the ldapadd utility or another openldap client tool, and a line in the file was split into two lines but was missing correct indentation (the second line has to be indented by one space character), the client terminated unexpectedly. With this update, client utilities are able to properly handle such filetype LDIF files, and the crashes no longer occur in the described scenario.

BZ#709407
When an OpenLDAP server was under heavy load or multiple replicating OpenLDAP servers were running, and, at the same time, TLS/SSL mode with certificates in PEM (Privacy Enhanced Mail) format was enabled, a race condition caused the server to terminate unexpectedly after a random amount of time (ranging from minutes to weeks). With this update, a mutex has been added to the code to protect calls of thread-unsafe Mozilla NSS functions dealing with PEM certificates, and the crashes no longer occur in the described scenario.

BZ#712358

When the openldap-servers package was installed on a machine while the initscript package was not already installed, some scriptlets terminated during installation and error messages were returned. With this update, initscripts have been defined as a required package for openldap-servers, and no error messages are now returned in the described scenario.

BZ#713525
When an openldap client had the TLS_REQCERT option set to never and the TLS_CACERTDIR option set to an empty directory, TLS connection attempts to a remote server failed as TLS could not be initialized on the client side. Now, TLS_CACERTDIR errors are ignored when TLS_REQCERT is set to never, thus fixing this bug.

BZ#722923
When a slapd.conf file was converted into a new slapd.d directory while the constraint overlay was in place, the constraint_attribute option of the size or count type was converted to the olcConstraintAttribute option with its value part missing. A patch has been provided to address this issue and constraint_attribute options are now converted correctly in the described scenario.

BZ#722959
When an openldap client had the TLS_REQCERT option set to never and the remote LDAP server uses a certificate issued by a CA (Certificate Authority) whose certificate has expired, connection attempts to the server failed due to the expired certificate. Now, expired CA certificates are ignored when TLS_REQCERT is set to never, thus fixing this bug.

BZ#723487
Previously, the openldap package compilation log file contained warning messages returned by strict-aliasing rules. These warnings indicated that unexpected runtime behavior could occur. With this update, the -fno-strict-aliasing option is passed to the compiler to avoid optimizations that can produce invalid code, and no warning messages are now returned during the package compilation.

BZ#723514
Previously, the olcDDStolerance option was shortening TTL (time to live) for dynamic entries, instead of prolonging it. Consequently, when an OpenLDAP server was configured with the dds overlay and the olcDDStolerance option was enabled, the dynamic entries were deleted before their TTL expired. A patch has been provided to address this issue and the real lifetime of a dynamic entry is now calculated properly, as described in documentation.

BZ#729087
When a utility used the OpenLDAP library and TLS to connect to a server, while the library failed to verify a certificate or a key, a memory leak occurred in the tlsm_find_and_verify_cert_key() function. Now, verified certificates and keys are properly disposed of when their verification fails, and memory leaks no longer occur in the described scenario.

BZ#729095
When the olcVerifyClient option was set to allow in an OpenLDAP server or the TLS_REQCERT option was set to allow in a client utility, while the remote peer certificate was invalid, OpenLDAP server/client connection failed. With this update, invalid remote peer certificates are ignored, and connections can now be established in the described scenario.

BZ#731168
When multiple TLS operations were performed by clients or other replicated servers, with the openldap-servers package installed and TLS enabled, the server terminated unexpectedly. With this update, a mutex has been added to the code to protect calls of thread-unsafe Mozilla NSS initialization functions, and the crashes no longer occur in the described scenario.

BZ#732001
When the openldap-servers package was being installed on a server for the first time, redundant and confusing / character was printed during the installation. With this update, the responsible RPM scriptlet has been fixed and the / character is no longer printed in the described scenario.

BZ#723521
Previously, the slapo-unique manual page was missing information about quoting the keywords and URIs (uniform resource identifiers), and the attribute parameter was not described in the section about unique_strict configuration options. A patch has been provided to address these issues and the manual page is now up-to-date.

BZ#742592
Previously, when the openldap-servers package was installed, host-based ACLs did not work. With this update, configuration flags that enable TCP wrappers have been updated, and the host-based ACLs now work as expected.

Enhancements

BZ#730311
Previously, when a connection to an LDAP server was created by specifying search root DN (distinguished name) instead of the server hostname, the SRV records in DNS were requested and a list of LDAP server hostnames was generated. The servers were then queried in the order, in which the DNS server returned them but the priority and weight of the records were ignored. This update adds support for priority/weight of the DNS SRV records, and the servers are now queried according to their priority/weight, as required by RFC 2782.

BZ#712494
In the default installation of the openldap-servers package, the configuration database (cn=config) could only be modified manually when the slapd daemon was not running. With this update, the ldapi:/// interface has been enabled by default, and the ACLs (access control lists) now enable the root user to modify the server configuration without stopping the server and using OpenLDAP client tools if he is authenticated using ldapi:/// and the SASL/EXTERNAL mechanism.

BZ#723999
The openldap package was compiled without RELRO (read-only relocations) flags and was therefore vulnerable to various attacks based on overwriting the ELF section of a program. To increase the security of the package, the openldap spec file has been modified to use the -Wl,-z,relro flags when compiling the package. The openldap package is now provided with partial RELRO protection.

 

Open LDAP Bugs Fixed in RHEL 6.3

Security Fix

CVE-2012-2668
It was found that the OpenLDAP server daemon ignored olcTLSCipherSuite settings. This resulted in the default cipher suite always being used, which could lead to weaker than expected ciphers being accepted during Transport Layer Security (TLS) negotiation with OpenLDAP clients.

Bug Fix

BZ#844428
When the smbk5pwd overlay was enabled in an OpenLDAP server, and a user changed their password, the Microsoft NT LAN Manager (NTLM) and Microsoft LAN Manager (LM) hashes were not computed correctly. This led to the sambaLMPassword and sambaNTPassword attributes being updated with incorrect values, preventing the user logging in using a Windows-based client or a Samba client.

With this update, the smbk5pwd overlay is linked against OpenSSL. As such, the NTLM and LM hashes are computed correctly, and password changes work as expected when using smbk5pwd.

Open LDAP Bugs Fixed in RHEL 6.3 – ( second update )

Security Fix

CVE-2012-1164
A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) processed certain search queries requesting only attributes and no values. In certain configurations, a remote attacker could issue a specially-crafted LDAP search query that, when processed by slapd, would cause slapd to crash due to an assertion failure.

Bug Fixes

BZ#784211
When OpenLDAP was set with master-master replication and with the “unique” overlay configured on the back-end database, a server failed to synchronize after getting online. An upstream patch has been applied and the overlay no longer causes breaches in synchronization.

BZ#790687
When the OpenLDAP server was enabled on the ldaps port (636), this port could already be taken by another process using the bindresvport() call. Consequently, the slapd daemon could not bind to the ldaps port. This update adds a configuration file for the portreserve service to reserve the ldaps port and this port is now always available for slapd.

BZ#742163
When the OpenLDAP server was running with the “constraint” overlay enabled and the “count” restrictions configured, specific modify operations could cause “count” restriction violation without the overlay detecting it. Now, the count overlay has been fixed to detect such situations and the server returns the “constraint violation” error as expected.

BZ#783445
If the slapd daemon was set up with master-master replication over TLS, when started, it terminated unexpectedly with a segmentation fault due to accessing unallocated memory. This update applies a patch that copies and stores the TLS initialization parameters, until the deferred TLS initialization takes place and the crashes no longer occur in the described scenario.

BZ#796808
When an OpenLDAP server used TLS and a problem with loading the server key occurred, the server terminated unexpectedly with a segmentation fault due to accessing uninitialized memory. With this update, variables holding TLS certificate and keys are properly initialized, the server no longer crashes in the described scenario, and information about the failure is logged instead.

BZ#807363
Due to a bug in the libldap library, when a remote LDAP server responded with a referral to a client query and the referral chasing was enabled in the library on the client, a memory leak occurred in libldap. An upstream patch has been provided to address this issue and memory leaks no longer occur in the described scenario.

BZ#742023
If a client established a TLS connection to a remote server, which had a certificate issued by a commonly trusted certificate authority (CA), the server certificate was rejected because the CA certificate could not be found. Now, during the package installation, certificate database is created and a module with a trusted root CA is loaded. Trusted CAs shipped with the Mozilla NSS package are used and TLS connections to a remote server now work as expected.

BZ#784203
Under certain conditions, when the unbind operation was called and the ldap handle was destroyed, the library attempted to close the connection socket, which was already closed. Consequently, warning messages from the valgrind utility were returned. An upstream patch has been applied, additional checks before closing a connection socket have been added, and the socket in the described scenario is now closed only once with no warnings returned.

BZ#732916
Previously, description of the SASL_NOCANON option was missing under the “SASL OPTIONS” section in the ldap.conf man page. This update amends the man page.

BZ#743781
When mutually exclusive options “-w” and “-W” were passed to any OpenLDAP client tool, the tool terminated with an assertion error. Upstream patch has been applied and client tools now do not start if these options are passed on the command line together, thus preventing this bug.

BZ#745470
Previously, description of the “-o” and “-N” options was missing in man pages for OpenLDAP client tools. This update amends the man pages.

BZ#730745
When the “memberof” overlay was set up on top of the front end database, the server terminated unexpectedly with a segmentation fault if an entry was modified of deleted. With this update, the “memberof” overlay can no longer be set up on top of the front end database. Instead, it is required to be set up on top the back end database or databases. Now, the crash no longer occurs in the described scenario.

BZ#816168
When a utility from the openldap-clients package was called without a specified URL, a memory leak occurred. An upstream patch has been applied to address this issue and the bug no longer occurs in the described scenario.

BZ#818844
When connecting to a remote LDAP server with TLS enabled, while the TLS_CACERTDIR parameter was set to Mozilla NSS certificate database and the TLS_CACERT parameter was set to PEM bundle with CA certificates, certificates from the PEM bundle were not loaded. If the signing CA certificate was present only in the PEM CA bundle specified by TLS_CACERT, validation of the remote certificate failed. This update allows loading of CA certificates from the PEM bundle file if the Mozilla NSS certificate database is set up as well. As a result, the validation succeeds in the described scenario.

Open LDAP Bugs Fixed in RHEL 6.4

Bug Fixes

BZ#820278
When the smbk5pwd overlay was enabled in an OpenLDAP server and a user changed their password, the Microsoft NT LAN Manager (NTLM) and Microsoft LAN Manager (LM) hashes were not computed correctly. Consequently, the sambaLMPassword and sambaNTPassword attributes were updated with incorrect values, preventing the user from logging in using a Windows-based client or a Samba client. With this update, the smbk5pwd overlay is linked against OpenSSL. As such, the NTLM and LM hashes are computed correctly and password changes work as expected when using smbk5pwd.

BZ#857390
If the TLS_CACERTDIR configuration option used a prefix, which specified a Mozilla NSS database type, such as sql:, and when a TLS operation was requested, the certificate database failed to open. This update provides a patch, which removes the database type prefix when checking the existence of a directory with certificate database, and the certificate database is now successfully opened even if the database type prefix is used.

BZ#829319
When a file containing a password was provided to open a database without user interaction, a piece of unallocated memory could be read and be mistaken to contain a password, leading to the connection to become unresponsive. A patch has been applied to correctly allocate the memory for the password file and the connection no longer hangs in the described scenario.

BZ#818572
When a TLS connection to an LDAP server was established, used, and then correctly terminated, the order of the internal TLS shutdown operations was incorrect. Consequently, unexpected terminations and other issues could occur in the underlying cryptographic library (Mozilla NSS). A patch has been provided to reorder the operations performed when closing the connection. Now, the order of TLS shutdown operations matches the Mozilla NSS documentation, thus fixing this bug.

BZ#859858
When TLS was configured to use a certificate from a PEM file while TLS_CACERTDIR was set to use a Mozilla NSS certificate database, the PEM certificate failed to load. With this update, the certificate is first looked up in the Mozilla NSS certificate database and if not found, the PEM file is used as a fallback. As a result, PEM certificates are now properly loaded in the described scenario.

BZ#707599
The OpenLDAP server could be configured for replication with TLS enabled for both accepting connections from remote peers and for TLS client authentication to the other replicas. When different TLS configuration was used for server and for connecting to replicas, a connection to a replica could fail due to TLS certificate lookup errors or due to unknown PKCS#11 TLS errors. This update provides a set of patches, which makes multiple TLS LDAP contexts within one process possible without affecting the others. As a result, OpenLDAP replication works properly in the described scenario.

BZ#811468
When the CA (Certificate Authority) certificate directory hashed via OpenSSL was configured to be used as a source of trusted CA certificates, the libldap library incorrectly expected that filenames of all hashed certificates end with the .0 suffix. Consequently, even though any numeric suffix is allowed, only certificates with .0 suffix were loaded. This update provides a patch that properly checks filenames in OpenSSL CA certificate directory and now all certificates that are allowed to be in that directory are loaded with libldap as expected.

BZ#843056
When multiple LDAP servers were specified with TLS enabled and a connection to a server failed because the host name did not match the name in the certificate, fallback to another server was performed. However, the fallback connection became unresponsive during the TLS handshake. This update provides a patch that re-creates internal structures, which handle the connection state, and the fallback connection no longer hangs in the described scenario.

BZ#864913
When the OpenLDAP server was configured to use the rwm overlay and a client sent the modrdn operation, which included the newsuperior attribute matching the current superior attribute of the entry being modified, the slapd server terminated unexpectedly with a segmentation fault. With this update, slapd is prevented from accessing uninitialized memory in the described scenario, the crashes no longer occur, and the client operation now finishes successfully.

BZ#828787
When a self-signed certificate without Basic Constraint Extension (BCE) was used as a server TLS certificate and the TLS client was configured to ignore any TLS certificate validation errors, the client could not connect to the server and an incorrect message about missing BCE was returned. This update provides a patch to preserve the original TLS certificate validation error if BCE is not found in the certificate. As a result, clients can connect to the server, proper error messages about untrusted certification authority which signed the server certificate are returned, and the connection continues as expected.

BZ#821848
When the slapd server configuration database (cn=config) was configured with replication in mirror mode and the replication configuration (olcSyncrepl) was changed, the cn=config database was silently removed from mirror mode and could not be futher modified without restarting the slapd daemon. With this update, changes in replication configuration are properly handled so that the state of mirror mode is now properly preserved and the cn=config database can be modified in the described scenario.

BZ#835012
Previously, the OpenLDAP library looked up for an AAAA (IPv6) DNS record while resolving the server IP address even if IPv6 was disabled on the host, which could cause extra delays when connecting. With this update, the AI_ADDRCONFIG flag is set when resolving the remote host address. As a result, the OpenLDAP library no longer looks up for the AAAA DNS record when resolving the server IP address and IPv6 is disabled on the local system.
Enhancements

BZ#852339
When libldap was configured to use TLS, not all TLS ciphers supported by the Mozilla NSS library could be used. This update provides all missing ciphers supported by Mozilla NSS to the internal list of ciphers in libldap, thus improving libldap security capabilities.

 

Know Issues for LDAP for Each Release

 

RHEL 6.1 LDAP Known Issues

:::::::: SSSD currently does not support eDirectory account lockout policies.

when installing a replica (using the ipa-replica-install command), GSSAPI errors similar to the following might be returned:
[07/Apr/2011:10:46:23 -0400] slapi_ldap_bind – Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[07/Apr/2011:10:46:23 -0400] NSMMReplicationPlugin – agmt=”cn=meToipaqa64vmb.testrelm” (ipaqa64vmb:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file ‘/tmp/krb5cc_496’ not found))
These messages can be safely ignored.

 

RHEL 6.2 LDAP Known Issues

:::::::: Identity Management component

When transitioning to a fully supported Identity Management version in Red Hat Enterprise Linux 6.2, uninstall any previous beta version of Identity Management or Technology Preview parts of Red Hat Enterprise Identity (IPA) available in the Red Hat Enterprise Linux 6.1 Technology Preview and install Identity Management again.

:::::::: Identity Management component

When an Identity Management server is installed with a custom hostname that is not resolvable, the ipa-server-install command should add a record to the static hostname lookup table in /etc/hosts and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:

Run the ipa-server-install without the –ip-address option and pass the IP address interactively.

Add a record to /etc/hosts before the installation is started. The record should contain the Identity Management server IP address and its full hostname (the hosts(5) man page specifies the record format).

As a result, the Identity Management server can be installed with a custom hostname that is not resolvable.

:::::::: sssd component, BZ#750922

Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library libldb. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the , character sequence. The most likely example of this is for an invalid memberUID entry to appear in an LDAP group of the form:

memberUID: user1,user2
memberUID is a multi-valued attribute and should not have multiple users in the same attribute.
If the upgrade issue occurs, identifiable by the following debug log message:
(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in
ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the /var/lib/sss/db/cache_<DOMAIN>.ldb file and restart SSSD.
Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file
Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file purges the cache of all entries (including cached credentials).

:::::::: sssd component, BZ#751314

When a group contains certain incorrect multi-valued memberUID values, SSSD fails to sanitize the values properly. The memberUID value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID values as their usernames. This, for example, causes problems during cache indexing.

:::::::: Identity Management component, BZ#750596

Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.

:::::::: Identity Management component

The Identity Management (ipa) package cannot be build with a 6ComputeNode subscription.
Identity Management component
On the configuration page of the Identity Management WebUI, if the User search field is left blank, and the search button is clicked, an internal error is returned.

:::::::: sssd component, BZ#741264

Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.
To work around this issue, disable referral-chasing by setting the following parameter in the [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file:
ldap_referrals = false

RHEL 6.3 LDAP Known Issues

:::::::: Identity Management component

When using the Identity Management WebUI in the Internet Explorer browser, you may encounter the following issues:
While the browser window is not maximized or many users are logged into the WebUI, scrolling down a page to select a user may not work properly. As soon as the user’s checkbox is selected, the scroll bar jumps back up without selecting the user. This error also occurs when a permission is added to a privilege. (BZ#831299)

When attempting to edit a service, the edit page for that service may occasionally be blank, or show only labels for Principal or Service without showing their values. When adding a service, under certain conditions, the drop-down menu lists the available services and hosts but users are unable to select any of the entries. (BZ#831227)

When adding a permission of type subtree, the text area to specify the subtree is too small and non-resizable making it difficult to enter long subtree entries. (BZ#830817 )

When adding a delegation, its attributes are separated by disproportionately large vertical spaces. (BZ#829899)

When adding a member, the edge of the displayed window suggests it can be resized. However, resizing of the window does not work. When adding a Sudo Command to a Sudo Command group, the first group overlays with the column title. (BZ#829746)

Adding a new DNS zone causes the window to be incorrectly rendered as text on the existing page. (BZ#827583)

:::::::: Identity Management component, BZ#826973

When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the –subject option is specified. To work around this issue, add the following option for the second stage of the installation: –subject “O=$REALM” where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.

:::::::: Identity Management component, BZ#822350

When a user is migrated from a remote LDAP, the user’s entry in the Directory Server does not contain Kerberos credentials needed for a Kerberos login. When the user visits the password migration page, Kerberos credentials are generated for the user and logging in via Kerberos authentication works as expected. However, Identity Management does not generate the credentials correctly when the migrated password does not follow the password policy set on the Identity Management server. Consequently, when the password migration is done and a user tries to log in via Kerberos authentication, the user is prompted to change the password as it does not follow the password policy, but the password change is never successful and the user is not able to use Kerberos authentication. To work around this issue, an administrator can reset the password of a migrated user with the ipa passwd command. When reset, user’s Kerberos credentials in the Directory Server are properly generated and the user is able to log in using Kerberos authentication.

:::::::: Identity Management component

In the Identity Management webUI, deleting a DNS record may, under come circumstances, leave it visible on the page showing DNS records. This is only a display issue and does not affect functionality of DNS records in any way.

:::::::: Identity Management component, BZ#783502

The Identity Management permission plug-in does not verify that the set of attributes specified for a new permission is relevant to the target object type that the permission allows access to. This means a user is able to create a permission which allows access to attributes that will never be present in the target object type because such attributes are not allowed in its object classes. You must ensure that the chosen set of attributes for which a new permission grants access to is relevant to the chosen target object type.

:::::::: Identity Management component, BZ#790513

The ipa-client package does not install the policycoreutils package as its dependency, which may cause install/uninstall issues when using the ipa-client-install setup script. To work around this issue, install the policycoreutils package manually:
~]# yum install policycoreutils

:::::::: Identity Management component, BZ#813376

Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.

:::::::: Identity Management component, BZ#794882

With netgroups, when adding a host as a member that Identity Management does not have stored as a host already, that host is considered to be an external host. This host can be controlled with netgroups, but Identity Management has no knowledge of it. Currently, there is no way to use the netgroup-find option to search for external hosts.
Also, note that when a host is added to a netgroup as an external host, rather than being added in Identity Management as an external host, that host is not automatically converted within the netgroup rule.

:::::::: Identity Management component, BZ#786629

Because a permission does not provide write access to an entry, delegation does not work as expected. The 389 Directory Server (389-ds) distinguishes access between entries and attributes. For example, an entry can be granted add or delete access, whereas an attribute can be granted read, search, and write access. To grant write access to an entry, the list of writable attributes needs to be provided. The filter, subtree, and other options are used to target those entries which are writable. Attributes define which part(s) of those entries are writable. As a result, the list of attributes will be writable to members of the permission.

:::::::: sssd component, BZ#808063

The manpage entry for the ldap_disable_paging option in the sssd-ldap man page does not indicate that it accepts the boolean values True or False, and defaulting to False if it is not explicitly specified.

:::::::: Identity Management component, BZ#812127

Identity Management relies on the LDAP schema to know what type of data to expect in a given attribute. If, in certain situations (such as replication), data that does not meet those expectations is inserted into an attribute, Identity Management will not be able to handle the entry, and LDAP tools have do be used to manually clean up that entry.

:::::::: Identity Management component, BZ#812122

Identity Management sudo commands are not case sensitive. For example, executing the following commands will result in the latter one failing due to the case insensitivity:
~]$ ipa sudocmd-add /usr/bin/X
~]$ ipa sudocmd-add /usr/bin/x
ipa: ERROR: sudo command with name “/usr/bin/x” already exists

:::::::: Identity Management component

Identity Management and the mod_ssl module should not be installed on the same system, otherwise Identity Management is unable to issue certificates because mod_ssl holds the mod_proxy hooks. To work around this issue, uninstall mod_ssl.

:::::::: Identity Management component

When an Identity Management server is installed with a custom hostname that is not resolvable, the ipa-server-install command should add a record to the static hostname lookup table in /etc/hosts and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:

Run the ipa-server-install without the –ip-address option and pass the IP address interactively.
Add a record to /etc/hosts before the installation is started. The record should contain the Identity Management server IP address and its full hostname (the hosts(5) man page specifies the record format).
As a result, the Identity Management server can be installed with a custom hostname that is not resolvable.

:::::::: sssd component, BZ#750922

Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library libldb. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the , character sequence. The most likely example of this is for an invalid memberUID entry to appear in an LDAP group of the form:

memberUID: user1,user2

memberUID is a multi-valued attribute and should not have multiple users in the same attribute.
If the upgrade issue occurs, identifiable by the following debug log message:
(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in
ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the /var/lib/sss/db/cache_<DOMAIN>.ldb file and restart SSSD.
Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file
Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file purges the cache of all entries (including cached credentials).

:::::::: sssd component, BZ#751314

When a group contains certain incorrect multi-valued memberUID values, SSSD fails to sanitize the values properly. The memberUID value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID values as their usernames. This, for example, causes problems during cache indexing.

:::::::: Identity Management component, BZ#750596

Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.

:::::::: Identity Management component

The Identity Management (ipa) package cannot be build with a 6ComputeNode subscription.

:::::::: Identity Management component

On the configuration page of the Identity Management WebUI, if the User search field is left blank, and the search button is clicked, an internal error is returned.

:::::::: sssd component, BZ#741264

Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.
To work around this issue, disable referral-chasing by setting the following parameter in the [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file:
ldap_referrals = false

 

RHEL 6.4 LDAP Known Issues

:::::::: ipa component, BZ#894388

The Identity Management installer configures all integrated services to listen on all interfaces. The administrator has no means to instruct the Identity Management installer to listen only on chosen interfaces even though the installer requires a valid interface IP address as one installation parameter. To work around this problem, change service configuration after Identity Management installation.

:::::::: ipa component, BZ#894378

Identity Management LDAP permission manipulation plugin validates subtree and filter permission specifiers as mutually exclusive even though it is a valid combination in the underlying LDAP Access Control Instruction (ACI). Permissions with filter and subtree specifiers can be neither created nor modified. This affects for example the Add Automount Keys permission which cannot be modified.

:::::::: ipa component, BZ#817080

In some cases the certificates tracked by certmonger are not cleared when running the ipa-server-install –uninstall command. This will cause a subsequent re-installation to fail with an unexpected error.

:::::::: sssd component, BZ#892604

The ssh_cache utility sets the DEBUG level after it processes the command-line parameters. If the command-line parameters cannot be processed, the utility prints DEBUG lines that are not supposed to be printed by default. To avoid this, correct parameters must be used.

:::::::::: sssd component, BZ#891647

It is possible to specify the enumerate=true value in the sssd.conf file to access all users in the system. However, using enumerate=true is not recommended in large environments as this can lead to high CPU consumption. As a result, operations like login or logout can be slowed down.

:::::::: ipa component, BZ#888579

The Identity Management server processes Kerberos Password Expiration Time field as a 32-bit integer. If Maximum Lifetime of a user password in Identity Management Password Policy is set to a value causing the resulting Kerberos Password Expiration Time timestamp to exceed 32 bits and to overflow, the passwords that are being changed are configured with an expiration time that lies in the past and are always rejected. To ensure that new user passwords are valid and can be changed properly, do not set password Maximum Lifetime in Identity Management Password Policy to values that would cause the Kerberos Password Expiration Time timestamp to exceed 32 bits; that is, passwords that would expire after 2038-01-19. At the moment, recommended values for the Maximum Lifetime field are numbers lower than 9000 days.

:::::::: sssd component, BZ#785877

When reconnecting to an LDAP server, SSSD does not check it was re-initialized during the downtime. If the server was re-initialized during the downtime and was filled with completely different data, SSSD does not update its database. As a consequence, the user can get invalid information from SSSD. To work around this problem:
stop SSSD before reconnecting to the re-initialized server;
clear the SSSD caches manually before reconnecting;
start SSSD.

:::::::: krb5 component

In environments where entropy is scarce, the kadmind tool can take longer to initialize after startup than it did in previous releases as it attempts to read data from the /dev/random file and seed its internal random number generator (RNG). Clients which attempt to connect to the kadmin service can time out and fail with a GSS-API or Kerberos error. After the service completely finishes initializing itself, it will process messages received from now-disconnected clients and can log clock-skew or decrypt-integrity-check-failed errors for those connections. To work around this problem, use a service such as rngd to seed the system RNG using hardware sources of entropy.

:::::::: ipa component, BZ#887193

The Identity Management server in Red Hat Enterprise Linux 6.3 introduced a technical preview of SELinux user mapping feature, which enabled a mapping of SELinux users to users managed by the Identity Management based on custom rules. However, the default configured SELinux user (guest_u:s0) used when no custom rule matches is too constraining. An Identity Management user authenticating to Red Hat Enterprise Linux 6.4 can be assigned the too constraining SELinux user in which case a login through graphical session would always fail. To work around this problem, change a too constraining default SELinux user in the Identity Management server from guest_u:s0 to a more relaxed value unconfined_u:s0-s0:c0.c1023:

:::::::: kinit admin

ipa config-mod –ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
An unconfined SELinux user will be now assigned to the Identity Management user by default, which will allow the user to successfully authenticate through graphical interface.

:::::::: ipa component, BZ#761574

When attempting to view a host in the web UI, the following message can appear:
Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)
Attempting to to delete installed certificates through the web UI or command-line interface can fail with the same error message. To work around this problem, run the following command:
   

# yum downgrade ipa-server libipa_hbac libipa_hbac-python ipa-python ipa-client ipa-admintools ipa-server-selinux

:::::::: ipa component, BZ#877324

After upgrading to Red Hat Identity Manager 2.2, it is not possible to add SSH public keys in the web UI. However, SSH public keys can be added on the command line by running ipa user-mod <user> –sshpubkey.

 

:::::::: sssd component, BZ#880150

Rules with sudoUser specified as +netgroup are always matched with the sssd sudoers plugin.
sssd component
When the ldap_sasl_authid is not configured in the sssd.conf file, SSSD terminates unexpectedly with a segmentation fault. To avoid this problem, ensure that the option is configured.

:::::::: ipa component

When upgrading the ipa-server package using anaconda, the following error message is logged in the upgrade.log file:
/sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directory
This problem does not occur when using yum.

:::::::: sssd component

In the Identity Manager subdomain code, a User Principal Name (UPN) is by default built from the SAM Account Name and Active Directory trust users, that is user@DOMAIN. The UPN can be changed to differ from the UPN in Active Directory, however only the default format, user@DOMAIN, is supported.

:::::::: sssd component, BZ#805921

Sometimes, group members may not be visible when running the getent group groupname command. This can be caused by an incorrect ldap_schema in the [domain/DOMAINNAME] section of the sssd.conf file. SSSD supports three LDAP schema types: RFC 2307, RFC 2307bis, and IPA. By default, SSSD uses the more common RFC 2307 schema. The difference between RFC 2307 and RFC 2307bis is the way which group membership is stored in the LDAP server. In an RFC 2307 server, group members are stored as the multi-valued memberuid attribute which contains the name of the users that are members. In an RFC2307bis server, group members are stored as the multi-valued attribute member (or sometimes uniqueMember) which contains the DN of the user or group that is a member of this group. RFC2307bis allows nested groups to be maintained as well.
When encountering this problem:

  • add ldap_schema = rfc2307bis in the sssd.conf file,
  • detele the /var/lib/sss/db/cache_DOMAINNAME.ldb file,
  • and restart SSSD.

If the workaround does not work, add ldap_group_member = uniqueMember in the sssd.conf file, delete the cache file and restart SSSD.

:::::::: Identity Management component, BZ#826973

When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the –subject option is specified. To work around this issue, add the following option for the second stage of the installation: –subject “O=$REALM” where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.

:::::::: Identity Management component, BZ#822350

When a user is migrated from a remote LDAP, the user’s entry in the Directory Server does not contain Kerberos credentials needed for a Kerberos login. When the user visits the password migration page, Kerberos credentials are generated for the user and logging in via Kerberos authentication works as expected. However, Identity Management does not generate the credentials correctly when the migrated password does not follow the password policy set on the Identity Management server. Consequently, when the password migration is done and a user tries to log in via Kerberos authentication, the user is prompted to change the password as it does not follow the password policy, but the password change is never successful and the user is not able to use Kerberos authentication. To work around this issue, an administrator can reset the password of a migrated user with the ipa passwd command. When reset, user’s Kerberos credentials in the Directory Server are properly generated and the user is able to log in using Kerberos authentication.

:::::::: Identity Management component

In the Identity Management webUI, deleting a DNS record may, under come circumstances, leave it visible on the page showing DNS records. This is only a display issue and does not affect functionality of DNS records in any way.

:::::::: Identity Management component, BZ#790513

The ipa-client package does not install the policycoreutils package as its dependency, which may cause install/uninstall issues when using the ipa-client-install setup script. To work around this issue, install the policycoreutils package manually:
# yum install policycoreutils

:::::::: Identity Management component, BZ#813376

Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.

:::::::: Identity Management component, BZ#794882

With netgroups, when adding a host as a member that Identity Management does not have stored as a host already, that host is considered to be an external host. This host can be controlled with netgroups, but Identity Management has no knowledge of it. Currently, there is no way to use the netgroup-find option to search for external hosts.
Also, note that when a host is added to a netgroup as an external host, rather than being added in Identity Management as an external host, that host is not automatically converted within the netgroup rule.

:::::::: Identity Management component, BZ#786629

Because a permission does not provide write access to an entry, delegation does not work as expected. The 389 Directory Server (389-ds) distinguishes access between entries and attributes. For example, an entry can be granted add or delete access, whereas an attribute can be granted read, search, and write access. To grant write access to an entry, the list of writable attributes needs to be provided. The filter, subtree, and other options are used to target those entries which are writable. Attributes define which part(s) of those entries are writable. As a result, the list of attributes will be writable to members of the permission.

:::::::: sssd component, BZ#808063

The manpage entry for the ldap_disable_paging option in the sssd-ldap man page does not indicate that it accepts the boolean values True or False, and defaulting to False if it is not explicitly specified.

:::::::: Identity Management component, BZ#812127

Identity Management relies on the LDAP schema to know what type of data to expect in a given attribute. If, in certain situations (such as replication), data that does not meet those expectations is inserted into an attribute, Identity Management will not be able to handle the entry, and LDAP tools have do be used to manually clean up that entry.

:::::::: Identity Management component, BZ#812122

Identity Management sudo commands are not case sensitive. For example, executing the following commands will result in the latter one failing due to the case insensitivity:
$ ipa sudocmd-add /usr/bin/X
$ ipa sudocmd-add /usr/bin/x
ipa: ERROR: sudo command with name “/usr/bin/x” already exists

:::::::: Identity Management component

When an Identity Management server is installed with a custom hostname that is not resolvable, the ipa-server-install command should add a record to the static hostname lookup table in /etc/hosts and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:
Run the ipa-server-install without the –ip-address option and pass the IP address interactively.
Add a record to /etc/hosts before the installation is started. The record should contain the Identity Management server IP address and its full hostname (the hosts(5) man page specifies the record format).
As a result, the Identity Management server can be installed with a custom hostname that is not resolvable.

:::::::: sssd component

Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library libldb. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the , character sequence. The most likely example of this is for an invalid memberUID entry to appear in an LDAP group of the form:

memberUID: user1,user2

memberUID is a multi-valued attribute and should not have multiple users in the same attribute.
If the upgrade issue occurs, identifiable by the following debug log message:
(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in
ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the /var/lib/sss/db/cache_<DOMAIN>.ldb file and restart SSSD.
Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file
Removing the /var/lib/sss/db/cache_<DOMAIN>.ldb file purges the cache of all entries (including cached credentials).

:::::::: sssd component, BZ#751314

When a group contains certain incorrect multi-valued memberUID values, SSSD fails to sanitize the values properly. The memberUID value should only contain one username. As a result, SSSD creates incorrect users, using the broken memberUID values as their usernames. This, for example, causes problems during cache indexing.

:::::::: Identity Management component

Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.

:::::::: Identity Management component

The Identity Management (ipa) package cannot be build with a 6ComputeNode subscription.

:::::::: sssd component, BZ#741264

Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.
To work around this issue, disable referral-chasing by setting the following parameter in the [domain/DOMAINNAME] section of the /etc/sssd/sssd.conf file:
ldap_referrals = false

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us