Red Hat Bugzilla – Bug 210120
PAM passthru plugin causes directory server to crash
Last modified: 2015-12-07 12:07:18 EST
Description of problem:
Providing an incorrect authentication parameters for LDAP bind operation
causes pam_passthru-plugin to pass a NULL pointer string to the system PAM
authentication modules which will crash.
Behaviour should be reproduceable with all versions.
Steps to Reproduce:
1. Make sure kerberos is used for PAM authentication
2. Enable pam_passthru -plugin
3. ldapsearch -x -D 'asdasdadf' -w asdasfas
4. Directory server crashes
Server is running fine and working correctly with a valid query like:
ldapsearch -x -b 'dc=valid,dc=data -D 'uid=user,ou=People,dc=valid,dc=data' -w
But providing incorrect bind data crashes server immediately:
[root@auth0 fedora-ds]# ldapsearch -x -b 'dc=valid,dc=data -D 'blah123' -w
ldap_bind: Can't contact LDAP server (-1)
A patch to fix this problem is provided as attachment. The fix was to prevent
str being NULL.
Created attachment 138116 [details]
Simple patch to fix the issue
In order to accept your patch into the codebase, we need to have a signed
Contributor License Agreement from you - see
http://directory.fedora.redhat.com/wiki/Contributing for more details. We are
just about to release Fedora DS 1.0.3 and we would really like to get this bug
fix in, so please send in the CLA as soon as possible. And thanks again.
Created attachment 138150 [details]
The previous patch would fix the problem, but I think it is better to just skip
the pam processing if there is a problem with the given bind dn.
Looks good to me.
Reviewed by: nhosoi (Thanks!)
Fix Description: If the DN given in the BIND request is bogus i.e. not a valid
DN (at least not one that ldap_explode_dn can parse), we should just skip the
PAM processing and just report a reasonable error to the client. Similarly, if
the map method says to lookup the pam ID from the bind DN entry, and the entry
cannot be found, just report an error and skip pam processing.
Platforms tested: FC5
Flag Day: no
Doc impact: no
Checking in pam_ptimpl.c;
new revision: 1.9; previous revision: 1.8
I'm punting this because the pam_pasthrough plugin is not shipped with redhat-ds.
PAM passthrough startup Tests PASS : 100% (13/13)
PAM passthrough run Tests PASS : 100% (9/9)
PAM passthrough cleanup Tests PASS : 100% (5/5)
hence marking Verified -sanity only.