Bug 444058 - [RFE] getpwent() not working with nss_ldap+ lots of users; add '--enable-paged-results' for nss_ldap
[RFE] getpwent() not working with nss_ldap+ lots of users; add '--enable-page...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap (Show other bugs)
4.6
All Linux
medium Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-24 15:58 EDT by Issue Tracker
Modified: 2015-07-13 08:48 EDT (History)
7 users (show)

See Also:
Fixed In Version: 253-6.el4
Doc Type: Enhancement
Doc Text:
* previously, the nss_ldap module provided by this package did not support paged results. Consequently, the entries returned by a getpwent() query could be incomplete if the LDAP server imposed a limit on the number of entries allowed in a single lookup. For example, Active Directory permits only 1024 entries in a single lookup, so a getpwent() query in this environment would return only 1024 entries and then fail silently. The nss_ldap module is now compiled with the --enabled-paged-results option. This provides the requesting process with the complete set of results.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-18 16:20:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Issue Tracker 2008-04-24 15:58:18 EDT
Escalated to Bugzilla from IssueTracker
Comment 1 Issue Tracker 2008-04-24 15:58:20 EDT
Please compile "nss_ldap" with support for paged results ('--enable-paged-results').

This is required for LDAP server implementations that limit the number of entries returned at a single lookup (i.e. Active Directory caps at 1024; openldap at least has a configuration option). We have in excess of 16k users on some machines.

Enumerating users via getpwent() on a machine with nss_ldap otherwise will silently fail (i.e not return the full user list, just whatever comes across on the first try).

This affects both RHEL4 and RHEL5. We have verified that recompiling the RHEL4 nss_ldap-226-20 with the above option fixes the issue for us.


PS: It appears that RHEL4 might get rebased to the same version as RHEL5.2 (as per https://bugzilla.redhat.com/show_bug.cgi?id=401731), but it would still need this option.


This event sent from IssueTracker by vincew  [SEG - Base OS]
 issue 172680
Comment 2 Issue Tracker 2008-04-24 15:58:21 EDT
getpwent() documentation says that 
       An  implementation  that  provides  extended security controls may
impose
       further implementation-defined restrictions on accessing the user
database.
       In particular, the system may deny the existence of some or all of
the user
       database entries associated with users other than the caller.

So as such this "works as documented" - but not via a security policy
and also affecting the "root" user. 

I'd label this a bug, but not as a very high-priority one.






This event sent from IssueTracker by vincew  [SEG - Base OS]
 issue 172680
Comment 3 Issue Tracker 2008-04-24 15:58:22 EDT
1. Provide time and date of the problem
Problem can be recreated every time on customer machine.

2. Provide clear and concise problem description as it is understood at
the time of escalation
Few LDAP implementations restrict the number of entried returned by it in
a single lookup. For example, Active directory sets this number to 1024.
For nss_ldap which is not compiled with the --enable-paged-results option,
the number of entried returned will be restricted to the number returned by
the ldap server in a single lookup. So on Active Directory for example,
requesting for password entries using 'getent passwd' will return only
1024 entries.
* Observed behavior
For a large lookup, only part of the set of users will be available.
* Desired behavior
nss_ldap compiled with --enabled-paged-results. This allows the requesting
process to see the complete set of results returned.


3. State specific action requested of SEG
Escalate to engineering with request to compile with
enabled-paged-results.

4. State whether or not a defect in the product is suspected
The customer requests that this problem be treated as a bug.

5. If there is a proposed patch, make sure it is in unified diff format
(diff -pruN)
Yes, compile with --enable-paged-results.

1. State other actions already taken in working the problem:
* tech-list, google searches, fulltext, consulting with another engineer
* Provide any relevant data found

LDAP Control Extension for Simple Paged Results Manipulation
http://www.ietf.org/rfc/rfc2696

2. Attach sosreport
Any RHEL 4 system will do.

3. Attach other supporting data
http://www.tkk.fi/cc/docs/kerberos/nss_ldap.html
Please check the section 'Known Limitations'.

4. Provide issue repro information:
Needs Active Directory ldap server.

5. List any known hot-fix packages on the system
-

6. List any customer applied changes from the last 30 days 
-



Issue escalated to Support Engineering Group by: sprabhu.
Internal Status set to 'Waiting on SEG'

This event sent from IssueTracker by vincew  [SEG - Base OS]
 issue 172680
Comment 14 Ruediger Landmann 2009-05-04 22:44:40 EDT
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
* previously, the nss_ldap module provided by this package did not support paged results. Consequently, the entries returned by a getpwent() query could be incomplete if the LDAP server imposed a limit on the number of entries allowed in a single lookup. For example, Active Directory permits only 1024 entries in a single lookup, so a getpwent() query in this environment would return only 1024 entries and then fail silently. The nss_ldap module is now compiled with the  --enabled-paged-results option. This provides the requesting process with the complete set of results.
Comment 15 errata-xmlrpc 2009-05-18 16:20:19 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0986.html

Note You need to log in before you can comment on or make changes to this bug.