Issued:
2012-02-20
Updated:
2012-02-20

RHBA-2012:0268 - nss_ldap bug fix and enhancement update

Synopsis

nss_ldap bug fix and enhancement update

Type/Severity

Bug Fix Advisory (none)

Topic

An enhanced nss_ldap package that fixes various bugs and provides an enhancement is now available for Red Hat Enterprise Linux 5.

Description

The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap module is a name service switch module which allows applications to retrieve information about users and groups from a directory server. The pam_ldap module allows a directory server to be used by PAM-aware applications to verify user passwords.

This updated nss_ldap package includes fixes for the following bugs:

  • Previously, nss_ldap did not correctly handle the situation where "unreadable" files were present in the CA certificate directory. Consequently, nss_ldap failed when resolving usernames and groups while using TLS even if a valid readable certificate was available. This update corrects the problem and nss_ldap now ignores files that are not world readable and uses the readable certificate files as expected. (BZ#593242)

  • In certain cases, nss_ldap failed to get a response from the Lightweight Directory Access Protocol (LDAP) server and the client became temporarily unable to query the server. This update applies a patch which improves the code and the server now responds as expected. (BZ#696707)

  • The LDAP server stored its configuration in a fixed-size buffer that could have been exceeded with large configurations, thus causing nss_ldap to fail. This was especially likely to occur on 64-bit architectures where pointers to internal data structures occupy twice as much space in the buffer as on 32-bit architectures. This caused situations where a certain ldap configuration worked on 32-bit architecture but not on 64-bit architecture. With this update, the code has been modified to allow the use of larger ldap configurations without exceeding the buffer and nss_ldap now works correctly. (BZ#705841)

In addition, this updated nss_ldap package provides the following enhancement:

  • Prior to this update, nss_ldap did not select the closest DNS records, but always selected the first record returned by DNS. This update changes the behavior to select the records based on the priority and weight fields. (BZ#741419)

All users of nss_ldap are advised to upgrade to this updated package, which fixes these bugs and provides this enhancement.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for Power, big endian5ppc
Red Hat Enterprise Linux for IBM z Systems5s390x
Red Hat Enterprise Linux Workstation5x86_64
Red Hat Enterprise Linux Workstation5i386
Red Hat Enterprise Linux Server5x86_64
Red Hat Enterprise Linux Server5ia64
Red Hat Enterprise Linux Server5i386
Red Hat Enterprise Linux Server from RHUI5x86_64
Red Hat Enterprise Linux Server from RHUI5i386
Red Hat Enterprise Linux Desktop5x86_64
Red Hat Enterprise Linux Desktop5i386

Updated Packages

  • nss_ldap-253-49.el5.ppc.rpm
  • nss_ldap-253-49.el5.s390x.rpm
  • nss_ldap-253-49.el5.s390.rpm
  • nss_ldap-253-49.el5.x86_64.rpm
  • nss_ldap-253-49.el5.i386.rpm
  • nss_ldap-253-49.el5.src.rpm
  • nss_ldap-253-49.el5.ppc64.rpm
  • nss_ldap-253-49.el5.ia64.rpm

Fixes

CVEs

(none)

References

(none)

Additional information