Bug 613555 - id returns failure when nss_ldap uses TLS and oneshot nss_connect_policy
Summary: id returns failure when nss_ldap uses TLS and oneshot nss_connect_policy
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap   
(Show other bugs)
Version: 4.9
Hardware: i386
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 661630
TreeView+ depends on / blocked
 
Reported: 2010-07-12 09:06 UTC by Ondrej Moriš
Modified: 2011-02-16 14:02 UTC (History)
2 users (show)

Fixed In Version: nss_ldap-253-13.el4
Doc Type: Bug Fix
Doc Text:
The nss_ldap module did not always return an ERANGE error correctly if it failed to read an entry. This happened when the entry data was larger than expected and the application ignored the entry. With this update, the ERANGE error is returned as expected and a larger buffer to accommodate the entry is used.
Story Points: ---
Clone Of:
: 661630 (view as bug list)
Environment:
Last Closed: 2011-02-16 14:02:47 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
nss_ldap configuration (267 bytes, text/plain)
2010-07-12 09:10 UTC, Ondrej Moriš
no flags Details
nsswitch configuration (336 bytes, text/plain)
2010-07-12 09:11 UTC, Ondrej Moriš
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0239 normal SHIPPED_LIVE nss_ldap bug fix update 2011-02-15 16:35:01 UTC
PADL Software 421 None None None Never

Description Ondrej Moriš 2010-07-12 09:06:24 UTC
Description of problem:

Command 'id omoris' from coreutils returns failure when TLS and oneshot nss_connect_policy is used for nss_ldap and nsswitch is set up to look into ldap. Output seems to be correct.

Version-Release number of selected component (if applicable):

nss_ldap-253-7.el4_8.3

How reproducible:

Always.

Steps to Reproduce:

1. Set up nss_ldap to use TLS and oneshot nss_connect_policy.
   * see attached configuration (/etc/ldap.conf)

2. Download RH certificate to /etc/openldap/cacerts/.
   * from http://password.corp.redhat.com/newca.crt
   * do not forget to rehash certs directory (cacertdir_rehash <cert_dir>)

3. Set up nsswitch to use LDAP.
   * see attached configuration (/etc/nsswitch.conf)

4. Stop or reload nscd service.

5. Execute command 'id omoris'.
  
Actual results:

Correct output, 1 returned (failure). 

Expected results:

Correct output, 0 returned (success) or an explanatory message.

Additional info:

This problem was hit on i386 only, it cannot be reproduced on the other supported architectures (x86_64, s390, s390x, ia64, ppc, x86_64).

Comment 1 Ondrej Moriš 2010-07-12 09:10:38 UTC
Created attachment 431117 [details]
nss_ldap configuration

Comment 2 Ondrej Moriš 2010-07-12 09:11:03 UTC
Created attachment 431119 [details]
nsswitch configuration

Comment 6 Ondrej Moriš 2010-07-12 18:12:59 UTC
Successfully verified.

Old (nss_ldap-253-7.el4_8.3)
============================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'service nscd reload'
:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: Running 'rm id.out'
:: [   PASS   ] :: Running 'echo "nss_connect_policy oneshot" >> /etc/ldap.conf'
:: [   PASS   ] :: Running 'restorecon -Rv /etc/'
:: [   PASS   ] :: Running 'service nscd reload'
:: [   FAIL   ] :: Running 'id omoris > id.out' (Expected 0, got 1)
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: Running 'rm id.out'
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 9 good, 1 bad
:: [   FAIL   ] :: RESULT: Test

New (nss_ldap-253-13.el4)
=========================

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'service nscd reload'
:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: Running 'rm id.out'
:: [   PASS   ] :: Running 'echo "nss_connect_policy oneshot" >> /etc/ldap.conf'
:: [   PASS   ] :: Running 'restorecon -Rv /etc/'
:: [   PASS   ] :: Running 'service nscd reload'
:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: Running 'rm id.out'
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 10 good, 0 bad
:: [   PASS   ] :: RESULT: Test

Comment 7 Nalin Dahyabhai 2010-07-12 19:25:48 UTC
(In reply to comment #6)
> :: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'

Can this test also verify that all of the supplemental groups which are listed are also resolved to their group names?

Comment 8 Ondrej Moriš 2010-07-12 19:51:54 UTC
That's a good point Nalin, I've checked listed groups manually and posted the test results only. Test is now updated to check listed groups as well as their names resolution. 

For the sake of completeness I'm posting updated test results:

Old (nss_ldap-253-7.el4_8.3)
============================

:: [   PASS   ] :: Running 'service nscd reload'
:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'gid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'groups=1070(devel),1076(devqa),14420(omoris)'
===
uid=14420(omoris) gid=14420(omoris) groups=1070(devel),1076(devqa),14420(omoris)
===
:: [   PASS   ] :: Running 'rm id.out'
:: [   PASS   ] :: Running 'echo "nss_connect_policy oneshot" >> /etc/ldap.conf'
:: [   PASS   ] :: Running 'restorecon -Rv /etc/'
Reloading nscd: [  OK  ]
:: [   PASS   ] :: Running 'service nscd reload'
:: [   FAIL   ] :: Running 'id omoris > id.out' (Expected 0, got 1)
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'gid=14420(omoris)'
:: [   FAIL   ] :: File 'id.out' should contain 'groups=1070(devel),1076(devqa),14420(omoris)' 
===
uid=14420(omoris) gid=14420(omoris) groups=1070,1076,14420(omoris)
===

New (nss_ldap-253-13.el4)
=========================

:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'gid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'groups=1070(devel),1076(devqa),14420(omoris)'
===
uid=14420(omoris) gid=14420(omoris) groups=1070(devel),1076(devqa),14420(omoris)
===
:: [   PASS   ] :: Running 'rm id.out'
:: [   PASS   ] :: Running 'echo "nss_connect_policy oneshot" >> /etc/ldap.conf'
:: [   PASS   ] :: Running 'restorecon -Rv /etc/'
Reloading nscd: [  OK  ]
:: [   PASS   ] :: Running 'service nscd reload'
:: [   PASS   ] :: Running 'id omoris > id.out'
:: [   PASS   ] :: File 'id.out' should contain 'uid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'gid=14420(omoris)'
:: [   PASS   ] :: File 'id.out' should contain 'groups=1070(devel),1076(devqa),14420(omoris)'
===
uid=14420(omoris) gid=14420(omoris) groups=1070(devel),1076(devqa),14420(omoris)
===

Comment 9 Nalin Dahyabhai 2010-07-12 20:08:14 UTC
Nice.  Thanks!

Comment 12 Eva Kopalova 2011-02-09 13:17:38 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The nss_ldap module did not always return an ERANGE error correctly if it failed to read an entry. This happened when the entry data was larger than expected and the application ignored the entry. With this update, the ERANGE error is returned as expected and a larger buffer to accommodate the entry is used.

Comment 13 errata-xmlrpc 2011-02-16 14:02:47 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0239.html


Note You need to log in before you can comment on or make changes to this bug.