Chapter 54. Authentication and Interoperability

When using Identity Management (IdM), if retrieving the lightweight certificate authority (CA) key fails for some reason, the operation terminates unexpectedly with an uncaught exception. The exception results in a crash report. (BZ#1478366)

Previously, the Mozilla implementation of Network Security Services (Mozilla NSS) silently ignored certain misconfigurations in the OpenLDAP suite, which caused programs to fail only on connection establishment. With this update, OpenLDAP has switched from Mozilla NSS to OpenSSL (see the release note for BZ#1400578). With OpenSSL, the TLS context is established immediately, and therefore programs fail immediately. This behavior prevents potential security risks, such as keeping non-working TLS ports open.

To work around this problem, verify and fix your OpenLDAP configuration. (BZ#1515833)

Previously, if the CACertFile or CACertDir options pointed to an unreadable or otherwise unloadable location, the Mozilla implementation of Network Security Services (Mozilla NSS) did not necessarily consider it a misconfiguration. With this update, the OpenLDAP suite has switched from Mozilla NSS to OpenSSL (see the release note for BZ#1400578). With OpenSSL, if CACertFile or CACertDir point to such an invalid location, the problem is no longer silently ignored.

To avoid the failures, remove the misconfigured option, or make sure it points to a loadable location.

Additionally, OpenLDAP now applies stricter rules for the contents of the directory to which CACertDir points. If you experience errors when using certificates in this directory, it is possible the directory is in an inconsistent state. To fix this problem, run the cacertdir_rehash command on the folder.

For details on CACertFile and CACertDir, see these man pages: ldap.conf(5), slapd.conf(5), slapd-config(5), and ldap_set_option(3). (BZ#1515918, BZ#1515839)

With this update, OpenLDAP has switched from the Mozilla implementation of Network Security Services (Mozilla NSS) to OpenSSL (see the release note for BZ#1400578). With OpenSSL, inconsistent changes of the TLS configuration in the cn=config database break the TLS protocol on the server, and configuration is not updated as expected. To avoid this problem, use only one change record to update the TLS configuration in cn=config. See the ldif(5) man page for a definition of a change record. (BZ#1524193)

Due to a bug in Directory Server, Identity Management (IdM) terminates connections unexpectedly after a certain amount of time, and authentication fails with the following error:

kinit: Generic error (see e-text) while getting initial credentials

kinit: Generic error (see e-text) while getting initial credentials

The problem occurs if you installed IdM on Red Hat Enterprise Linux 7.5 from an offline media. To work around the problem, run yum update to receive the updated 389-ds-base package which fixes the problem. (BZ#1544477)

Directory Server uses the nunc-stans framework to manage connection events. If a connection is closed when shutting down the server, a nunc-stans job can access a freed connection structure. As a consequence, Directory Server can terminate unexpectedly. Because this situation occurs in a late state of the shutdown process, data is not corrupted or lost. Currently, no workaround is available. (BZ#1517383)