How To Fix RHEL / CentOS 6.4 LDAP MD5 Cert Error
Recently we updated to the latest RHEL 6.4 which caused LDAP to stop using our MD5 signed certificate. This was due to the nss-3.14.0 update that now deems MD5 as unsecure. This change caused authentication of users using LDAP to fail. If the account had a local password (such as root), they were able to login.
Since creating / updating the MD5 certificate was not an immediate solution for us we had to find a way to use what we have while we work on a permanent solution Here are a few of the workarounds.
Option 1
The first option involves modifying each kernel line in /etc/grub.conf and adding support for MD5 as well as creating a file in /etc/profile.d exporting this variable. In our situation this option did not work, but others on the Internet it worked.
Add in /etc/grub.conf to the end of kernel lines
systemd.setenv=NSS_HASH_ALG_SUPPORT=+MD5
Create /etc/profile.d/nss.sh
export NSS_HASH_ALG_SUPPORT=+MD5
Reboot the server
Option 2
The second option adds the export option to /etc/sysconfig/init. This option worked for allowing users to connect via ssh, but it did not allow authentication when accessing via a console, like Open Console option in vSphere.
Add to /etc/sysconfig/init
export NSS_HASH_ALG_SUPPORT=+MD5
Reboot the server
Option 3
The third option involves downgrading nss packages to 3.13 and adding an exclusion in /etc/yum.conf to not allow an update to nss 3.14 or higher. This was the option that worked for our situation.
You will need to downgrade nss, nss-tools, nss-sysinit and nss-util.
yum downgrade nss nss-tools nss-sysinit nss-util
Next open /etc/yum.conf and add / change:
exclude=nss*
Reboot the server
I hope one of these options helps you in your situation.
Leave a Reply