Bug 1576502 - Segmentation fault when ldap mapper is used in pam_pkcs11
Summary: Segmentation fault when ldap mapper is used in pam_pkcs11
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam_pkcs11
Version: 6.10
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Asha Akkiangady
Depends On:
Blocks: 1584793
TreeView+ depends on / blocked
Reported: 2018-05-09 15:43 UTC by Roshni
Modified: 2018-06-06 15:43 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1584793 (view as bug list)
Last Closed: 2018-06-06 15:43:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Roshni 2018-05-09 15:43:13 UTC
Description of problem:
Segmentation fault when ldap mapper is used in pam_pkcs11

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. pam_pkcs11.conf should have

use_mappers = ldap;

mapper ldap {
                debug = true;
                module = "/usr/$LIB/pam_pkcs11/ldap_mapper.so";
                # where base directory resides
                #basedir = "/etc/pam_pkcs11/mapdir";
                basedir = "/etc/pki/nssdb";
                # hostname of ldap server
                ldaphost = <ldap-host>;
                # Port on ldap server to connect
                ldapport = 636;
                # Scope of search: 0 = x, 1 = y, 2 = z
                scope = 2;
                # DN to bind with. Must have read-access for user entries under "base"
                binddn = "cn=Directory Manager";
                # Password for above DN
                passwd = "<password>";
                # Searchbase for user entries
                base = "ou=People,dc=pki-ca-ldap";
                # Attribute of user entry which contains the certificate
                attribute = userCertificate;
                # Searchfilter for user entry. Must only let pass user entry for the login user.
                filter = "(&(objectClass=posixAccount)(uid=%s))";
                #tls_checkpeer = 0

Actual results:
[root@dhcp129-77 ~]# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:ldap_mapper.c:217: do_ssl_options
DEBUG:ldap_mapper.c:325: do_bind(): bind DN="cn=Directory Manager" pass="SECret.123"
DEBUG:ldap_mapper.c:358: do_bind rc=97
DEBUG:ldap_mapper.c:726: ldap_get_certificate(): entries = 0
Segmentation fault (core dumped)

Expected results:

Additional info:
I do not see this issue if pam_pkcs11.conf has

use_mappers = cn, uid, pwent, null, ldap;

Note You need to log in before you can comment on or make changes to this bug.