1.93. nss_ldap

An updated nss_ldap package that fixes multiple bugs is now available for Red Hat Enterprise Linux 5.

The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap module is a plug-in which allows applications to retrieve information about users and groups from a directory server. The pam_ldap module allows a directory server to be used by PAM-aware applications to verify user passwords.

This update fixes the following bugs:

* When looking up host names and addresses, the 'gethostbyname_r' function did not return a proper value for the 'errno_p' parameter when the length of the name or the address was less than was required. This resulted in the host name and the address being overlooked and not returned. With this update, the aforementioned function has been fixed and works as expected. ( BZ#468807)

* Under certain conditions, an application which spawned a new child process would begin exhibiting undefined behavior. This was caused by the 'free()' function being called in the 'fork()' function which resulted in a race and hung the application. This update fixes the race issue and the application no longer hangs. ( BZ#474181)

* Prior to this update, some processes would trigger SELinux policy denials when attempting to use a connection to a directory server which its parent process had opened. This was caused by a leaked file descriptor. With this update, file descriptors are no longer leaked, thus, SELinux policy denials are no longer triggered. ( BZ#500397)

* When using pluggable authentication modules (PAM), selected modules can be loaded and unloaded upon each authentication attempt. However, unloading the pam_ldap module could cause the memory that is allocated by libraries on which it depends to be lost. Consequent to this, multiple authentication attempts may have led to a significant memory loss. To prevent this, the pam_ldap module is no longer unloaded. ( BZ#511238)

* When authenticating users using a directory server which provides a password aging policy, a user whose password will expire in less than a day would not be warned of the impending expiration. With this update, a password expiry warning is shown that reminds the user of the impending password expiration. ( BZ#537358)

* When the "/etc/ldap.conf" configuration file contained an incomplete configuration or a setting with too large a value, a process which attempted to use nss_ldap could crash. With this update, a crash no longer occurs and an appropriate error is returned. ( BZ#538498)

* Adding a large amount of users (multiple kilobytes of usernames) to the 'nss_initgroups_ignoreusers' option in the "/etc/ldap.conf" configuration file resulted in an "Assertion failed" error when executing any nss_ldap related commands. With this update, adding multiple users to the 'nss_initgroups_ignoreusers' option works as expected. ( BZ#584157)

* When an LDAP context has been established, obtaining the list of groups a user belongs to could result in a memory leak. With this update, a patch has been applied to address this issue, and such memory leaks no longer occur. ( BZ#654650)

* Under certain circumstances, the nss_ldap module may have been unable to correctly process LDAP entries with a large number of group members. This was due to an error number being accidentally overwritten before the control was returned to the caller. When this happened, various utilities failed to produce expected results. With this update, this error has been fixed, the error number is no longer overwritten, and affected utilities now work properly. ( BZ#661630)

All users of nss_ldap are advised to upgrade to this updated package, which resolves these issues.

An updated nss_ldap package that fixes various bugs is now available for Red Hat Enterprise Linux 5.

The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap module is a plug-in which allows applications to retrieve information about users and groups from a directory server. The pam_ldap module allows a directory server to be used by PAM-aware applications to verify user passwords.

This update fixes the following bugs:

* When using pluggable authentication modules (PAM), selected modules can be loaded and unloaded upon each authentication attempt. However, unloading the pam_ldap module could cause the memory that is allocated by libraries on which it depends to be lost. Consequent to this, multiple authentication attempts may have led to a significant memory loss. To prevent this, the pam_ldap module is no longer unloaded. ( BZ#660236)

* When an LDAP context has been established, obtaining the list of groups a user belongs to could result in a memory leak. With this update, a patch has been applied to address this issue, and such memory leaks no longer occur. ( BZ#660456)

* Under certain circumstances, the nss_ldap module may have been unable to correctly process LDAP entries with a large number of group members. This was due to an error number being accidentally overwritten before the control was returned to the caller. When this happened, various utilities failed to produce expected results. With this update, this error has been fixed, the error number is no longer overwritten, and affected utilities now work properly. ( BZ#662939)

All users of nss_ldap are advised to upgrade to this updated package, which resolves these issues.