Updated nss_ldap packages that fix multiple bugs are now available for Red Hat Enterprise Linux 5.
The nss_ldap packages contain the nss_ldap and pam_ldap modules. The nss_ldap module is a name service switch module which allows applications to retrieve information about users and groups from a directory server. The pam_ldap module allows a directory server to be used by PAM-aware applications to verify user passwords.
When parsing an ldap.conf file that contained a host and a port definition, the nss_ldap "do_add_hosts()" function always created a URI starting with "ldap://" regardless of SSL being enabled. Consequently, when the response included an "ldaps://..." referral to the same server and port, the libldap library considered this to be a different scheme ("ldaps" vs. the initial "ldap") and opened new connections for each referral lookup instead of reusing the existing persistent connection. The code has been improved and now when the SSL option is enabled the initial URI will be in the format "ldaps://...". As a result, nss_ldap now correctly uses the LDAPS scheme with SSL connections.
Due to a regression in the configuration parser, the "do_readline()" function did not return the correct exit code when the last line of "/etc/ldap.secret" did not contain a newline. Consequently, the nss_ldap module failed to bind to the LDAP server. With this update the parser now returns the correct exit code when parsing /etc/ldap.secret and nss_ldap works as expected in the scenario described.
The nss_ldap module used to leak memory when an entry that did not exist on the remote server was requested. The memory leak has been fixed by freeing an internal search structure even in cases where the search does not finish successfully.
All users of nss_ldap are advised to upgrade to these updated packages, which fix these bugs.