Chapter 54. Authentication and Interoperability
A crash is reported after an unsuccessful lightweight CA key retrieval
When using Identity Management (IdM), if retrieving the lightweight certificate authority (CA) key fails for some reason, the operation terminates unexpectedly with an uncaught exception. The exception results in a crash report. (BZ#1478366)
OpenLDAP causes programs to fail immediately in case of incorrect configuration
Previously, the Mozilla implementation of Network Security Services (Mozilla NSS) silently ignored certain misconfigurations in the OpenLDAP suite, which caused programs to fail only on connection establishment. With this update, OpenLDAP has switched from Mozilla NSS to OpenSSL (see the release note for BZ#1400578). With OpenSSL, the TLS context is established immediately, and therefore programs fail immediately. This behavior prevents potential security risks, such as keeping non-working TLS ports open.
To work around this problem, verify and fix your OpenLDAP configuration. (BZ#1515833)
OpenLDAP reports failures when CACertFile or CACertDir point to an invalid location
Previously, if the CACertFile or CACertDir options pointed to an unreadable or otherwise unloadable location, the Mozilla implementation of Network Security Services (Mozilla NSS) did not necessarily consider it a misconfiguration. With this update, the OpenLDAP suite has switched from Mozilla NSS to OpenSSL (see the release note for BZ#1400578). With OpenSSL, if CACertFile or CACertDir point to such an invalid location, the problem is no longer silently ignored.
To avoid the failures, remove the misconfigured option, or make sure it points to a loadable location.
Additionally, OpenLDAP now applies stricter rules for the contents of the directory to which CACertDir points. If you experience errors when using certificates in this directory, it is possible the directory is in an inconsistent state. To fix this problem, run the
cacertdir_rehashcommand on the folder.
For details on CACertFile and CACertDir, see these man pages: ldap.conf(5), slapd.conf(5), slapd-config(5), and ldap_set_option(3). (BZ#1515918, BZ#1515839)
OpenLDAP does not update TLS configuration after inconsistent changes in
With this update, OpenLDAP has switched from the Mozilla implementation of Network Security Services (Mozilla NSS) to OpenSSL (see the release note for BZ#1400578). With OpenSSL, inconsistent changes of the TLS configuration in the
cn=configdatabase break the TLS protocol on the server, and configuration is not updated as expected. To avoid this problem, use only one change record to update the TLS configuration in
cn=config. See the ldif(5) man page for a definition of a change record. (BZ#1524193)
Identity Management terminates connections unexpectedly
Due to a bug in Directory Server, Identity Management (IdM) terminates connections unexpectedly after a certain amount of time, and authentication fails with the following error:
kinit: Generic error (see e-text) while getting initial credentials
The problem occurs if you installed IdM on Red Hat Enterprise Linux 7.5 from an offline media. To work around the problem, run
yum updateto receive the updated 389-ds-base package which fixes the problem. (BZ#1544477)
Directory Server can terminate unexpectedly during shutdown
Directory Server uses the
nunc-stansframework to manage connection events. If a connection is closed when shutting down the server, a
nunc-stansjob can access a freed connection structure. As a consequence, Directory Server can terminate unexpectedly. Because this situation occurs in a late state of the shutdown process, data is not corrupted or lost. Currently, no workaround is available. (BZ#1517383)