Bug 1576502 - Segmentation fault when ldap mapper is used in pam_pkcs11
Summary: Segmentation fault when ldap mapper is used in pam_pkcs11
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam_pkcs11
Version: 6.10
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1584793
TreeView+ depends on / blocked
 
Reported: 2018-05-09 15:43 UTC by Roshni
Modified: 2018-06-06 15:43 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1584793 (view as bug list)
Environment:
Last Closed: 2018-06-06 15:43:26 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Roshni 2018-05-09 15:43:13 UTC
Description of problem:
Segmentation fault when ldap mapper is used in pam_pkcs11

Version-Release number of selected component (if applicable):
pam_pkcs11-0.6.2-17.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. pam_pkcs11.conf should have

use_mappers = ldap;

mapper ldap {
                debug = true;
                module = "/usr/$LIB/pam_pkcs11/ldap_mapper.so";
                # where base directory resides
                #basedir = "/etc/pam_pkcs11/mapdir";
                basedir = "/etc/pki/nssdb";
                # hostname of ldap server
                ldaphost = <ldap-host>;
                # Port on ldap server to connect
                ldapport = 636;
                # Scope of search: 0 = x, 1 = y, 2 = z
                scope = 2;
                # DN to bind with. Must have read-access for user entries under "base"
                binddn = "cn=Directory Manager";
                # Password for above DN
                passwd = "<password>";
                # Searchbase for user entries
                base = "ou=People,dc=pki-ca-ldap";
                # Attribute of user entry which contains the certificate
                attribute = userCertificate;
                # Searchfilter for user entry. Must only let pass user entry for the login user.
                filter = "(&(objectClass=posixAccount)(uid=%s))";
                #tls_checkpeer = 0
        }
2.
3.

Actual results:
[root@dhcp129-77 ~]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
...
DEBUG:ldap_mapper.c:217: do_ssl_options
DEBUG:ldap_mapper.c:325: do_bind(): bind DN="cn=Directory Manager" pass="SECret.123"
DEBUG:ldap_mapper.c:358: do_bind rc=97
DEBUG:ldap_mapper.c:726: ldap_get_certificate(): entries = 0
Segmentation fault (core dumped)


Expected results:


Additional info:
I do not see this issue if pam_pkcs11.conf has

use_mappers = cn, uid, pwent, null, ldap;


Note You need to log in before you can comment on or make changes to this bug.