Skip to navigation

Bug Fix Advisory nss_ldap bug fix update

Advisory: RHBA-2011:1030-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2011-07-21
Last updated on: 2011-07-21
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Details

An updated nss_ldap package that fixes various bugs is now available for Red Hat
Enterprise Linux 5.

The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap
module allows applications to retrieve information about users and groups from a
directory server. The pam_ldap module allows a directory server to be used by
PAM-aware applications to verify user passwords.

This update fixes the following bugs:

* Prior to this update, using the getent utility to retrieve information about a
group with a large number of users could take a very long time. This update
applies a backported patch that addresses this issue and significantly improves
the performance. (BZ#646329)

* When the "netgroup" entry in the /etc/nsswitch.conf configuration file is set
to "ldap files" and the connection to an LDAP server cannot be established, the
system is supposed to search local files for netgroups instead. Previously,
querying such a system for netgroups could incorrectly produce an empty list.
This update corrects this error, and when the "netgroup" entry is set to "ldap
files" and the LDAP server is unavailable, local files are now searched as
expected. (BZ#664609)

* When a system is configured to use LDAP accounts and a password expires, the
relevant user is prompted to change it upon the next login. Previously, the
pam_ldap module incorrectly allowed users to re-use their old passwords. With
this update, this error no longer occurs, and users are no longer allowed to
enter the same password when prompted to change it. (BZ#667758)

* Due to a possible assertion failure in the nss_ldap module, the previous
version of the nss_ldap package may have caused various applications that rely
on the libldap library to terminate unexpectedly. With this update, a patch has
been applied to prevent this assertion failure, resolving this issue.
(BZ#688601)

All users of nss_ldap are advised to upgrade to this updated package, which
fixes these bugs.


Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
nss_ldap-253-42.el5.src.rpm
File outdated by:  RHBA-2013:0251
    MD5: a625e5dfebe71b3923c855120d28f803
SHA-256: 0b260c798faa3d40e10718e39d9576349acb0b308844a452d3504c61737a33b1
 
IA-32:
nss_ldap-253-42.el5.i386.rpm
File outdated by:  RHBA-2013:0251
    MD5: 4bd98e32c2e0c2477877b8131b8e49f7
SHA-256: 9f21a108f5e55627cda1b2cfedc4728b8471f243172658c20666bacd1079937d
 
IA-64:
nss_ldap-253-42.el5.i386.rpm
File outdated by:  RHBA-2013:0251
    MD5: 4bd98e32c2e0c2477877b8131b8e49f7
SHA-256: 9f21a108f5e55627cda1b2cfedc4728b8471f243172658c20666bacd1079937d
nss_ldap-253-42.el5.ia64.rpm
File outdated by:  RHBA-2013:0251
    MD5: 5a7702eb38b8bf22eb1548462017a1ba
SHA-256: cf6a6d84cd0efe649917d28639d2c267e88011be62c258a8fef38891e8168a56
 
PPC:
nss_ldap-253-42.el5.ppc.rpm
File outdated by:  RHBA-2013:0251
    MD5: 2dad17c6eef3b5f1307033abbeb46021
SHA-256: 453886b01e82366158c2e835746c6021d8d0d5fdac8fe603a038b55db998abc7
nss_ldap-253-42.el5.ppc64.rpm
File outdated by:  RHBA-2013:0251
    MD5: 0010ea9c5d7ae55039a20e9756c36be0
SHA-256: f9c2669b9a4382697a6606fa0dfec085cf1f3106dbf799663ba6f69e3e611e20
 
s390x:
nss_ldap-253-42.el5.s390.rpm
File outdated by:  RHBA-2013:0251
    MD5: ac6a0bc08f0dae677b865242e354a9ca
SHA-256: 1707de598e50a4d8e4788abe8a1b7ecd9bb9f9de5d9efc004cce4a093ce8b97c
nss_ldap-253-42.el5.s390x.rpm
File outdated by:  RHBA-2013:0251
    MD5: 1ca338b75fd8c063d1266640b51fae24
SHA-256: 298a54d6c4d0f4cbba707f5d156b54e5eef2e64bf96f70cf66da15fd5c430333
 
x86_64:
nss_ldap-253-42.el5.i386.rpm
File outdated by:  RHBA-2013:0251
    MD5: 4bd98e32c2e0c2477877b8131b8e49f7
SHA-256: 9f21a108f5e55627cda1b2cfedc4728b8471f243172658c20666bacd1079937d
nss_ldap-253-42.el5.x86_64.rpm
File outdated by:  RHBA-2013:0251
    MD5: 7c2f932995d707f4d655856495a79677
SHA-256: e83ab6a4355ad6e501745cf03763906481bafd4dd679afae2d7f10f53fb5e6ee
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
nss_ldap-253-42.el5.src.rpm
File outdated by:  RHBA-2013:0251
    MD5: a625e5dfebe71b3923c855120d28f803
SHA-256: 0b260c798faa3d40e10718e39d9576349acb0b308844a452d3504c61737a33b1
 
IA-32:
nss_ldap-253-42.el5.i386.rpm
File outdated by:  RHBA-2013:0251
    MD5: 4bd98e32c2e0c2477877b8131b8e49f7
SHA-256: 9f21a108f5e55627cda1b2cfedc4728b8471f243172658c20666bacd1079937d
 
x86_64:
nss_ldap-253-42.el5.i386.rpm
File outdated by:  RHBA-2013:0251
    MD5: 4bd98e32c2e0c2477877b8131b8e49f7
SHA-256: 9f21a108f5e55627cda1b2cfedc4728b8471f243172658c20666bacd1079937d
nss_ldap-253-42.el5.x86_64.rpm
File outdated by:  RHBA-2013:0251
    MD5: 7c2f932995d707f4d655856495a79677
SHA-256: e83ab6a4355ad6e501745cf03763906481bafd4dd679afae2d7f10f53fb5e6ee
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

646329 - taking a long time to get a result of getent group when the group has a large number of users
664609 - local files not searched for netgroups if ldap server is unavailable
667758 - pam_ldap, running as root, does not authenticate a user on password expiration
683349 - Need a rebuild with new openssl
684889 - Using 'getgrent_r' call yields "ldap_result: Assertion `ld != ((void *)0)' failed."
688601 - nss_ldap bug causes libldap crashes



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/