Bug 1576502

Summary: Segmentation fault when ldap mapper is used in pam_pkcs11
Product: Red Hat Enterprise Linux 6 Reporter: Roshni <rpattath>
Component: pam_pkcs11Assignee: Bob Relyea <rrelyea>
Status: CLOSED WONTFIX QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.10CC: nmavrogi, rrelyea
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1584793 (view as bug list) Environment:
Last Closed: 2018-06-06 15:43:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1584793    

Description Roshni 2018-05-09 15:43:13 UTC
Description of problem:
Segmentation fault when ldap mapper is used in pam_pkcs11

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. pam_pkcs11.conf should have

use_mappers = ldap;

mapper ldap {
                debug = true;
                module = "/usr/$LIB/pam_pkcs11/ldap_mapper.so";
                # where base directory resides
                #basedir = "/etc/pam_pkcs11/mapdir";
                basedir = "/etc/pki/nssdb";
                # hostname of ldap server
                ldaphost = <ldap-host>;
                # Port on ldap server to connect
                ldapport = 636;
                # Scope of search: 0 = x, 1 = y, 2 = z
                scope = 2;
                # DN to bind with. Must have read-access for user entries under "base"
                binddn = "cn=Directory Manager";
                # Password for above DN
                passwd = "<password>";
                # Searchbase for user entries
                base = "ou=People,dc=pki-ca-ldap";
                # Attribute of user entry which contains the certificate
                attribute = userCertificate;
                # Searchfilter for user entry. Must only let pass user entry for the login user.
                filter = "(&(objectClass=posixAccount)(uid=%s))";
                #tls_checkpeer = 0

Actual results:
[root@dhcp129-77 ~]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:ldap_mapper.c:217: do_ssl_options
DEBUG:ldap_mapper.c:325: do_bind(): bind DN="cn=Directory Manager" pass="SECret.123"
DEBUG:ldap_mapper.c:358: do_bind rc=97
DEBUG:ldap_mapper.c:726: ldap_get_certificate(): entries = 0
Segmentation fault (core dumped)

Expected results:

Additional info:
I do not see this issue if pam_pkcs11.conf has

use_mappers = cn, uid, pwent, null, ldap;