Bug 613555 - id returns failure when nss_ldap uses TLS and oneshot nss_connect_policy
id returns failure when nss_ldap uses TLS and oneshot nss_connect_policy
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap (Show other bugs)
4.9
i386 Linux
high Severity high
: rc
: ---
Assigned To: Nalin Dahyabhai
Ondrej Moriš
:
Depends On:
Blocks: 661630
  Show dependency treegraph
 
Reported: 2010-07-12 05:06 EDT by Ondrej Moriš
Modified: 2011-02-16 09:02 EST (History)
2 users (show)

See Also:
Fixed In Version: nss_ldap-253-13.el4
Doc Type: Bug Fix
Doc Text:
The nss_ldap module did not always return an ERANGE error correctly if it failed to read an entry. This happened when the entry data was larger than expected and the application ignored the entry. With this update, the ERANGE error is returned as expected and a larger buffer to accommodate the entry is used.
Story Points: ---
Clone Of:
: 661630 (view as bug list)
Environment:
Last Closed: 2011-02-16 09:02:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
nss_ldap configuration (267 bytes, text/plain)
2010-07-12 05:10 EDT, Ondrej Moriš
no flags Details
nsswitch configuration (336 bytes, text/plain)
2010-07-12 05:11 EDT, Ondrej Moriš
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
PADL Software 421 None None None Never
Red Hat Product Errata RHBA-2011:0239 normal SHIPPED_LIVE nss_ldap bug fix update 2011-02-15 11:35:01 EST

  None (edit)
Description Ondrej Moriš 2010-07-12 05:06:24 EDT
Description of problem:

Command 'id omoris' from coreutils returns failure when TLS and oneshot nss_connect_policy is used for nss_ldap and nsswitch is set up to look into ldap. Output seems to be correct.

Version-Release number of selected component (if applicable):

nss_ldap-253-7.el4_8.3

How reproducible:

Always.

Steps to Reproduce:

1. Set up nss_ldap to use TLS and oneshot nss_connect_policy.
   * see attached configuration (/etc/ldap.conf)

2. Download RH certificate to /etc/openldap/cacerts/.
   * from http://password.corp.redhat.com/newca.crt
   * do not forget to rehash certs directory (cacertdir_rehash <cert_dir>)

3. Set up nsswitch to use LDAP.
   * see attached configuration (/etc/nsswitch.conf)

4. Stop or reload nscd service.

5. Execute command 'id omoris'.
  
Actual results:

Correct output, 1 returned (failure). 

Expected results:

Correct output, 0 returned (success) or an explanatory message.

Additional info:

This problem was hit on i386 only, it cannot be reproduced on the other supported architectures (x86_64, s390, s390x, ia64, ppc, x86_64).
Comment 1 Ondrej Moriš 2010-07-12 05:10:38 EDT
Created attachment 431117 [details]
nss_ldap configuration
Comment 2 Ondrej Moriš 2010-07-12 05:11:03 EDT
Created attachment 431119 [details]
nsswitch configuration
Comment 6 Ondrej Moriš 2010-07-12 14:12:59 EDT
Successfully verified.

Old (nss_ldap-253-7.el4_8.3)
============================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'service nscd reload'
:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: Running 'rm id.out'
:: [   PASS   ] :: Running 'echo "nss_connect_policy oneshot" >> /etc/ldap.conf'
:: [   PASS   ] :: Running 'restorecon -Rv /etc/'
:: [   PASS   ] :: Running 'service nscd reload'
:: [   FAIL   ] :: Running 'id omoris > id.out' (Expected 0, got 1)
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: Running 'rm id.out'
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 9 good, 1 bad
:: [   FAIL   ] :: RESULT: Test

New (nss_ldap-253-13.el4)
=========================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'service nscd reload'
:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: Running 'rm id.out'
:: [   PASS   ] :: Running 'echo "nss_connect_policy oneshot" >> /etc/ldap.conf'
:: [   PASS   ] :: Running 'restorecon -Rv /etc/'
:: [   PASS   ] :: Running 'service nscd reload'
:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: Running 'rm id.out'
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 10 good, 0 bad
:: [   PASS   ] :: RESULT: Test
Comment 7 Nalin Dahyabhai 2010-07-12 15:25:48 EDT
(In reply to comment #6)
> :: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'

Can this test also verify that all of the supplemental groups which are listed are also resolved to their group names?
Comment 8 Ondrej Moriš 2010-07-12 15:51:54 EDT
That's a good point Nalin, I've checked listed groups manually and posted the test results only. Test is now updated to check listed groups as well as their names resolution. 

For the sake of completeness I'm posting updated test results:

Old (nss_ldap-253-7.el4_8.3)
============================

:: [   PASS   ] :: Running 'service nscd reload'
:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'gid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'groups=1070(devel),1076(devqa),14420(omoris)'
===
uid=14420(omoris) gid=14420(omoris) groups=1070(devel),1076(devqa),14420(omoris)
===
:: [   PASS   ] :: Running 'rm id.out'
:: [   PASS   ] :: Running 'echo "nss_connect_policy oneshot" >> /etc/ldap.conf'
:: [   PASS   ] :: Running 'restorecon -Rv /etc/'
Reloading nscd: [  OK  ]
:: [   PASS   ] :: Running 'service nscd reload'
:: [   FAIL   ] :: Running 'id omoris > id.out' (Expected 0, got 1)
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'gid=14420(omoris)'
:: [   FAIL   ] :: File 'id.out' should contain 'groups=1070(devel),1076(devqa),14420(omoris)' 
===
uid=14420(omoris) gid=14420(omoris) groups=1070,1076,14420(omoris)
===

New (nss_ldap-253-13.el4)
=========================

:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'gid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'groups=1070(devel),1076(devqa),14420(omoris)'
===
uid=14420(omoris) gid=14420(omoris) groups=1070(devel),1076(devqa),14420(omoris)
===
:: [   PASS   ] :: Running 'rm id.out'
:: [   PASS   ] :: Running 'echo "nss_connect_policy oneshot" >> /etc/ldap.conf'
:: [   PASS   ] :: Running 'restorecon -Rv /etc/'
Reloading nscd: [  OK  ]
:: [   PASS   ] :: Running 'service nscd reload'
:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'gid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'groups=1070(devel),1076(devqa),14420(omoris)'
===
uid=14420(omoris) gid=14420(omoris) groups=1070(devel),1076(devqa),14420(omoris)
===
Comment 9 Nalin Dahyabhai 2010-07-12 16:08:14 EDT
Nice.  Thanks!
Comment 12 Eva Kopalova 2011-02-09 08:17:38 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The nss_ldap module did not always return an ERANGE error correctly if it failed to read an entry. This happened when the entry data was larger than expected and the application ignored the entry. With this update, the ERANGE error is returned as expected and a larger buffer to accommodate the entry is used.
Comment 13 errata-xmlrpc 2011-02-16 09:02:47 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0239.html

Note You need to log in before you can comment on or make changes to this bug.