Bug 713961 - libsss_ldap segfault at login against OpenLDAP
Summary: libsss_ldap segfault at login against OpenLDAP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.2
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
: 714301 (view as bug list)
Depends On:
Blocks: 716909 748848
TreeView+ depends on / blocked
 
Reported: 2011-06-16 22:07 UTC by Stephen Gallagher
Modified: 2018-11-14 12:26 UTC (History)
9 users (show)

Fixed In Version: sssd-1.5.1-41.el6
Doc Type: Bug Fix
Doc Text:
When SSSD communicated with an OpenLDAP server, which supported server-side password policies but did not list them in the "supportedControl" attribute of the server's rootDSE entry, SSSD terminated unexpectedly with a segmentation fault. This was a regression introduced in version 1.5.1-34.el6 of the sssd package. An upstream patch has been provided to fix this bug.
Clone Of:
: 748848 (view as bug list)
Environment:
Last Closed: 2011-12-06 16:38:51 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1529 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2011-12-06 00:50:20 UTC

Description Stephen Gallagher 2011-06-16 22:07:07 UTC 
How to reproduce:

To reproduce the segfault it should be sufficient to add

objectClass: pwdPolicy
pwdAttribute: userPassword

to a user entry and try to log in with this user.

For completeness, to use the ppolicy overlay please add:

olcModuleLoad: ppolicy.la
olcPPolicyDefault: cn=pwdconfig,ou=config,dc=your,dc=base,dc=dn
olcOverlay: ppolicy

to /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif .

Create a policy like

dn: cn=pwdconfig,ou=config,dc=your,dc=base,dc=dn
objectClass: pwdPolicy
objectClass: top
objectClass: person
pwdAttribute: userPassword
sn: Password Policy
cn: pwdconfig
pwdMaxAge: 100
pwdExpireWarning: 10
pwdGraceAuthNLimit: 3

and add

objectClass: pwdPolicy
pwdAttribute: userPassword
pwdPolicySubentry: cn=pwdconfig,ou=config,dc=your,dc=base,dc=dn

to a user object.
Comment 1 Jake Kodak 2011-06-17 17:52:21 UTC 
Nominee for Async.
Comment 2 Dmitri Pal 2011-06-17 21:45:21 UTC 
*** Bug 714301 has been marked as a duplicate of this bug. ***
Comment 4 Tomas Capek 2011-06-28 08:48:58 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When SSSD communicated with an OpenLDAP server, which supported server-side password policies but did not list them in the "supportedControl" attribute of the server's rootDSE entry, SSSD terminated unexpectedly with a segmentation fault. This was a regression introduced in version 1.5.1-34.el6 of the sssd package. An upstream patch has been provided to fix this bug.
Comment 7 Kaushik Banerjee 2011-09-22 09:00:33 UTC 
Verified in version:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 52.el6                        Build Date: Tue 20 Sep 2011 09:11:03 PM IST
Install Date: Wed 21 Sep 2011 03:07:04 PM IST      Build Host: x86-010.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-52.el6.src.rpm
Size        : 3550647                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 8 errata-xmlrpc 2011-12-06 16:38:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html
Note You need to log in before you can comment on or make changes to this bug.