Red Hat ENTERPRISE LINUX 5.5 - TECHNICAL NOTES Manual page 193

An updated nss_ldap package is now available for Red Hat Enterprise Linux 5.
The nss_ldap package includes two LDAP access clients: nss_ldap and pam_ldap. nss_ldap is a
plugin for the standard C library which allows applications to look up information about users and
groups using a directory server. The pam_ldap module is a Pluggable Authentication Module (PAM)
which provides for authentication, authorization and password changing against LDAP servers.
This update fixes the following bug in the nss_ldap module:
* a NULL value was incorrectly assigned to an ldap_parse_result argument if the bind operation
timed out. Consequently, if the nss_ldap module was configured to encrypt traffic to the directory
server using the "ssl start_tls" option and TLS negotiation took longer than the "bind_timelimit" value
set in /etc/ldap.conf, the client module would crash with an Assertion error. With this update, the
ldap_parse_result argument is not set to NULL if the bind operation times out and the Assertion error
no longer occurs. (BZ#529376
Note: The default bind_timelimit is 30 seconds and this bug did not normally trigger unless the value
was set to less than this default. Further, it was possible to workaround this issue by increasing the
bind_timelimit (for example, to 60 seconds). This only masked the underlying issue, however.
All nss_ldap users are advised to upgrade to this updated package, which resolves this issue.
1.135.2. RHBA-2010:0260: bug fix update
An updated nss_ldap package that fixes various bugs is now available.
The nss_ldap package includes two LDAP access clients: nss_ldap and pam_ldap. nss_ldap is a plug-
in for the standard C library which allows applications to look up information about users and groups
using a directory server. The pam_ldap module is a Pluggable Authentication Module (PAM) which
provides for authentication, authorization and password changing against LDAP servers.
This package addresses the following bugs:
* The nss_ldap package did not support case sensitive text. This could cause group membership not
to be matched to the users. To correct this name resolution for users, group, and shadow information
can now be forced to be performed in a case sensitive manner by setting "nss_check_case yes"
in /etc/ldap.conf. The default setting remains as "nss_check_case no". This fix results in group
membership being matched to the correct users.
* When running commands, sometimes the nss_ldap library would produce assertion errors, leading
to application failure. To fix this bug the nss_ldap package has been modified to allow for bind_timeout
in /etc/ldap.conf to be set to a low value (for example, 2). If the bind performed does time out it now
performs a debug request instead of producing assertion errors.
* By setting the value 'bind_policy soft' in the /etc/ldap.conf file and configuring hostname resolution
to only use 'ldap', it becomes impossible to resolve any information about the server without first
contacting it. This meant that when using the command getent -s 'ldap' passwd, a segmentation fault
would occur. This updated nss_ldap package ensures that no segmentation fault occurs, however the
correct way to access the server information in the outlined case would be to use the command getent
-s 'passwd:ldap' passwd.
1531
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=529376
1532
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=518911
1533
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=499302
1534
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=448883
1531
)
1534
(BZ#448883 )
RHBA-2010:0260: bug fix update
1532
(BZ#518911 )
(BZ#499302
1533
)
183