Bug 439829 - simple password auth fails using NSS 3.11.99 or later
Summary: simple password auth fails using NSS 3.11.99 or later
Alias: None
Product: 389
Classification: Retired
Component: Directory Server
Version: 1.1.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2008-03-31 16:41 UTC by Perry Myers
Modified: 2015-03-20 17:50 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-03-20 17:50:05 UTC

Attachments (Terms of Use)
typescript output of running setup-ds.pl and ldapsearch commands (9.36 KB, text/plain)
2008-03-31 16:41 UTC, Perry Myers
no flags Details
diffs (9.47 KB, patch)
2008-04-03 16:01 UTC, Rich Megginson
no flags Details | Diff
cvs commit log (478 bytes, text/plain)
2008-04-03 21:10 UTC, Rich Megginson
no flags Details

Description Perry Myers 2008-03-31 16:41:14 UTC
Description of problem:
On a Fedora 9 Beta system, installed fedora-ds-base (NVR below).  Ran
setup-ds.pl to initialize the directory server.  Did a Typical setup using an
account called dirsrv as both user and group for the server.  See attached log
for typescript containing output of setup-ds.pl as well as output from
ldapsearch command used on ns-slapd run both with and without the -d parameter.

When running ns-slapd without -d parameter, password auth (-x param) does not
work for the ldapsearch/ldapmodify commands.  If I run the server manually with
-d 0, the password auth succeeds.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Start with Fedora 9 Beta, install fedora-ds-base
2. Run setup-ds.pl and use default values for most options (see exceptions in 
3. Run ldapsearch as shown in the attachment while ns-slapd is running without
   the -d parameter.
Actual results:
ldap_bind: Invalid credentials (49)

Expected results:
pass auth should succeed and the search should work

Additional info:

Comment 1 Perry Myers 2008-03-31 16:41:14 UTC
Created attachment 299738 [details]
typescript output of running setup-ds.pl and ldapsearch commands

Comment 2 Perry Myers 2008-03-31 17:26:22 UTC
Posted this /etc/init.d/dirsrv patch on IRC... If you apply this change, things
work fine.  But we obviously don't want to be forced to run in debug mode

diff -Naur 1/etc/init.d/dirsrv 2/etc/init.d/dirsrv
--- 1/etc/init.d/dirsrv 2008-03-31 13:24:00.000000000 -0400
+++ 2/etc/init.d/dirsrv 2008-03-31 13:23:52.000000000 -0400
@@ -156,7 +156,7 @@
                 # init config environment will not apply to any other instance
                     [ -f /etc/sysconfig/dirsrv-$instance ] && .
-                    $exec -D $instbase/slapd-$instance -i $pidfile -w $startpidfile
+                    ( $exec -D $instbase/slapd-$instance -i $pidfile -w
$startpidfile -d 0 & ) > /dev/null 2>&1 < /dev/null
                 if [ $? -eq 0 ]; then
                     server_started=1 # well, perhaps not running, but started ok

Comment 3 Rich Megginson 2008-04-02 20:56:46 UTC
The problem is that NSS 3.11.99 requires the application to call fork() _before_
calling NSS_Initialize, for security reasons.  ds calls fork() _after_ calling
NSS_Initialize().  The fix will be a little bit tricky since we need to call
NSS_Initialize after the fork, but before detaching from the controlling
process, in case NSS needs to prompt on stdin for the tokens' passwords.

Comment 4 Rich Megginson 2008-04-03 16:01:36 UTC
Created attachment 300273 [details]

Comment 5 Rich Megginson 2008-04-03 21:10:13 UTC
Created attachment 300347 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Files: see diff
Branch: HEAD
Fix Description: The new softokn in NSS 3.11.99 and later requires that
the server calls NSS_Init() after forking, but before detaching from the
controlling terminal.  In fact, this was always a requirement, but the
softokn in older NSS allow it.	However, it's possible that some
hardware crypto devices do not allow this and may not work with older
directory servers.  The fix is to move the nss/ssl initialization so
that it can be called at the right point, or from other points in cases
where the server does not fork (e.g. db2ldif).
Platforms tested: Fedora 9 i386, RHEL5 x86_64
Flag Day: no
Doc impact: no

Comment 8 Amita Sharma 2011-07-20 06:16:44 UTC
Based on comment#7, marking the bug as VERIFIED

Note You need to log in before you can comment on or make changes to this bug.