0

LDAP MD5 Cert Error on RHEL/CentOS 6.4+

With the update of nss-3.14.0 LDAP stopped using the MD5 signed certificate. nss-3.14.0 update deems that MD5 as unsecure. The change causes authentication of users using LDAP to fail. There are 4 possible ways to fix this problem

1) update the LDAP certificate to use other type of encryption than MD5

2) modify each kernel line in /etc/grub.conf to add support for MD5 and also in create nss.sh in /etc/profile.d

in /etc/grub.conf add to the end of each kernel line
systemd.setenv=NSS_HASH_ALG_SUPPORT=+MD5

in /etc/profile.d create nss.sh with
export NSS_HASH_ALG_SUPPORT=+MD5

REBOOT

3) export the correct options to /etc/sysconfig/init

in /etc/sysconfig/init add
export NSS_HASH_ALG_SUPPORT=+MD5

REBOOT

4) downgrade nss package back to 3.13 and add exclusion in /etc/yum.conf to not allow upgrade to nss 3.14 and higher. nss, nss-tools, nss-sysinit and nss-util will need to be downgraded

yum downgrade nss nss-tools nss-sysinit nss-util

Add to /etc/yum.conf
exclude=nss*

REBOOT

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.