useradd failure under ldap with tls

Daniel J Walsh dwalsh at redhat.com
Mon Jun 18 19:39:28 UTC 2007


Chaos Golubitsky wrote:
> When i manage user data via LDAP (using pam_ldap), useradd/usermod/etc
> fail when run from scripts.  In particular, e.g.
>
>   # yum install httpd
>
> fails because the "useradd apache" commands hangs.
>
> Audit2allow suggests:
>
>   allow useradd_t urandom_device_t:chr_file { getattr read };
>
> If i modify my LDAP configuration so that connections are not encrypted
> using TLS, the useradd succeeds.
>
>
> I think that, when LDAP is in use, anyone who needs to query the passwd
> or group map [1] should be able to read /dev/urandom so they can initiate
> TLS LDAP connections.  But i don't know enough about the layout of the
> SELinux policy to speculate on whether the problem is that:
> (a) The PAM/LDAP client policy is ignorant of TLS
> (b) The useradd/etc policy is ignorant of LDAP
> (c) Something else
>
> Any suggestions would be appreciated.  I have "solved" this for my own
> purposes the hackish way (i.e. by doing what audit2allow recommends, as
> a standalone module), but i'd like to be able to recommend a real patch.
>
> Thanks.
>
> Chaos
>
> [1] The useradd/usermod/etc commands need to query passwd maps in order
> to fail with an error if a central user conflicts with the user being
> created.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   

Which os are you using.  I will make the change.




More information about the fedora-selinux-list mailing list