7.2. Known Issues

  • Enabling user authentication against an LDAP server using authconfig --enableldapauth does not correctly set up the /etc/nslcd.conf configuration file. Consequently, LDAP users will be denied access to the system. To work around this issue, remove the line containing pam_password md5 from the /etc/nslcd.conf file.
  • The System Security Services Daemon (SSSD) currently supports following LDAP referrals on anonymous-bind LDAP connections only.
  • The authentication configuration utility does not keep the 'Require smart card for login' check box set when Kerberos is also enabled. When the check box is checked and the configuration is saved with the 'Apply' button, the system will correctly require smart card for login. However, on the subsequent run of the authentication configuration utility the check box will be unchecked again and it is necessary to check it again to keep the option switched on.
  • When attempting to perform PKINIT pre-authentication, if the client has more than one possible candidate certificate the client may fail to select the certificate and key to use. This usually occurs if certificate selection is configured to use the value of the keyUsage extension, or if any of the candidate certificates does not contain a subjectAltName extension. Consequently, the client attempts to perform pre-authentication using a different (usually password-based) mechanism.
  • After installing certmonger, the system message bus daemon needs to be signaled to reload its configuration to allow the certmonger service to start properly. To work around this issue, send the dbus-daemon process a SIGHUP signal, or, alternatively, reboot the system.