1.135. nss_ldap
1.135.1. RHBA-2009:1527: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata RHBA-2009:1527
The nss_ldap package includes two LDAP access clients: nss_ldap and pam_ldap. nss_ldap is a plugin for the standard C library which allows applications to look up information about users and groups using a directory server. The pam_ldap module is a Pluggable Authentication Module (PAM) which provides for authentication, authorization and password changing against LDAP servers.
This update fixes the following bug in the nss_ldap module:
* a NULL value was incorrectly assigned to an ldap_parse_result argument if the bind operation timed out. Consequently, if the nss_ldap module was configured to encrypt traffic to the directory server using the "ssl start_tls" option and TLS negotiation took longer than the "bind_timelimit" value set in /etc/ldap.conf, the client module would crash with an Assertion error. With this update, the ldap_parse_result argument is not set to NULL if the bind operation times out and the Assertion error no longer occurs. (BZ#529376)
Note: The default bind_timelimit is 30 seconds and this bug did not normally trigger unless the value was set to less than this default. Further, it was possible to workaround this issue by increasing the bind_timelimit (for example, to 60 seconds). This only masked the underlying issue, however.
All nss_ldap users are advised to upgrade to this updated package, which resolves this issue.
1.135.2. RHBA-2010:0260: bug fix update
An updated nss_ldap package that fixes various bugs is now available.
The nss_ldap package includes two LDAP access clients: nss_ldap and pam_ldap. nss_ldap is a plug-in for the standard C library which allows applications to look up information about users and groups using a directory server. The pam_ldap module is a Pluggable Authentication Module (PAM) which provides for authentication, authorization and password changing against LDAP servers.
This package addresses the following bugs:
* The nss_ldap package did not support case sensitive text. This could cause group membership not to be matched to the users. To correct this name resolution for users, group, and shadow information can now be forced to be performed in a case sensitive manner by setting "nss_check_case yes" in /etc/ldap.conf. The default setting remains as "nss_check_case no". This fix results in group membership being matched to the correct users. (BZ#518911)
* When running commands, sometimes the nss_ldap library would produce assertion errors, leading to application failure. To fix this bug the nss_ldap package has been modified to allow for bind_timeout in /etc/ldap.conf to be set to a low value (for example, 2). If the bind performed does time out it now performs a debug request instead of producing assertion errors. (BZ#499302)
* By setting the value 'bind_policy soft' in the /etc/ldap.conf file and configuring hostname resolution to only use 'ldap', it becomes impossible to resolve any information about the server without first contacting it. This meant that when using the command getent -s 'ldap' passwd, a segmentation fault would occur. This updated nss_ldap package ensures that no segmentation fault occurs, however the correct way to access the server information in the outlined case would be to use the command getent -s 'passwd:ldap' passwd. (BZ#448883)
* When LDAP was listed before DNS in the nsswitch.conf file and the hostname was not in the /etc/hosts file, the nss_ldap package caused segmentation faults. Segmentation faults occurred with nscd, getent and any process that used the library when communicating with the secondary OpenLDAP servers. This package update ensures that nss_ldap does not produce any segmentation faults when interacting with OpenLDAP servers. (BZ#472920)
* The nss_ldap package would write to a socket that was not connected to an LDAP server. This resulted in an EPIPE error being returned and all shell commands ceasing to work when logged in as an LDAP user. To fix this bug the sigpipe is now unblocked when closing the connection in the child element. This allows for shell commands to continue to function. (BZ#454315)
All nss_ldap users are advised to upgrade to this updated package, which resolves these issue.