Bug 1536135

Summary: Increase password value buffer size
Product: Red Hat Enterprise Linux 7 Reporter: Ming Davies <minyu>
Component: nss-pam-ldapdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: jhrozek, minyu, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-20 10:10:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ming Davies 2018-01-18 16:55:00 UTC 
Description of problem:
The latest package for nss-pam-ldap throw an access denied error if an user's password is over a certain length. This has been correct in upstream releases: https://arthurdejong.org/nss-pam-ldapd/release-0-8-14

Customer would like RedHat to fix the issue in our latest nss-pam-ldap package.


Version-Release number of selected component (if applicable):
nss-pam-ldapd.x86_64                                             0.8.13-8.el7

How reproducible:
The issue can be easily reproduced.

Steps to Reproduce:
1. Create an open ldap instance
2. Create a ldap user:
dn: uid=esmith,ou=users,dc=mytest,dc=com
uid: esmith
cn: Evie Smith
sn: Smith
mail: esmith
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 11586
gidNumber: 11585
homeDirectory: /home/esmith

3. Assign a 63characters password to the user esmith
# ldappasswd -s ykisqc8s4loz+ZL5wDP4l4TU5ZRkdrxQBUEfT0OSsPWUXZMN5JqHr6HNSQq9DRS -D "cn=manager,dc=mytest,dc=com" -w password -x "uid=esmith,ou=users,dc=mytest,dc=com"

4. ssh into an openldap client, all ok.

5. Assign a 64characters password to the user esmith
# ldappasswd -s ykisqc8s4loz+ZL5wDP4l4TU5ZRkdrxQBUEfT0OSsPWUXZMN5JqHr6HNSQq9DRSb -D "cn=manager,dc=mytest,dc=com" -w password -x "uid=esmith,ou=users,dc=mytest,dc=com"

6.  ssh into an openldap client:
# ssh esmith@localhost
esmith@localhost's password: 
Permission denied, please try again.

Corresponding logs
# tail /var/log/messages
...
Jan 18 16:35:23 tigger nslcd[2581]: [edbdab] client supplied argument 1 bytes too large

# tail /var/log/secure
Jan 18 16:35:23 tigger unix_chkpwd[2646]: password check failed for user (esmith)
Jan 18 16:35:23 tigger sshd[2644]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=esmith
Jan 18 16:35:23 tigger sshd[2644]: pam_ldap(sshd:auth): error reading from nslcd: Connection reset by peer
Jan 18 16:35:26 tigger sshd[2644]: Failed password for esmith from ::1 port 42924 ssh2

Actual results:


Expected results:


Additional info:
Comment 2 Jakub Hrozek 2018-01-18 19:12:09 UTC 
Thank you for the bug report. I think this may be a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1425790 which is already proposed for 7.5.0

Would the customer be interested in testing out the 7.5 packages to see if the backport fixes the problem for them?
Comment 9 Jakub Hrozek 2018-03-20 10:10:47 UTC 

*** This bug has been marked as a duplicate of bug 1425790 ***