An updated nss-pam-ldapd package that fixes multiple bugs and adds one enhancement is now available for Red Hat Enterprise Linux 6.
[Updated 24 January 2012] This advisory has been updated with the correct package description in the Details section. The package included in this revised update has not been changed in any way from the package included in the original advisory.
The nss-pam-ldapd package provides the nss-pam-ldapd daemon (nslcd) which uses a directory server to look up name service information on behalf of a lightweight nsswitch module.
- When the nss-pam-ldapd package was installed, settings for the nslcd daemon were migrated from the configuration files used by the pam_ldap module or a previously-installed copy of the nss_ldap package. If the nslcd configuration file was modified, settings would be migrated again, often with an error. With this update, the migration is performed only if the package has not been previously installed.
- Prior to this update, when the nslcd daemon retrieved information about a user or group, the name of the user or group would be checked against the value of the "validnames" configuration setting. The default value of the setting expected the names to be at least three characters long, therefore names which were only two characters long were flagged as invalid. This could have negative impact on some installations. With this update, the default value of the "validnames" setting is modified to a minimum of two characters so that short names are accepted.
- BZ#716822, BZ#720230
- Due to the buffer used for the group field of a user password entry being not big enough, the primary group ID of a user could not be parsed if it contained more than nine digits. As a consequence, the nslcd daemon could drop some of the digits. With this update, nslcd is modified to parse large user IDs properly.
- An incorrect use of the strtol() call could cause large user ID values to overflow on 32-bit architectures. New functions have been implemented with this update, so that large user IDs are parsed correctly.
- Previously, if "DNS" was specified as the value of the LDAP "uri" setting in the /etc/nslcd.conf file, the nslcd service would attempt to look up DNS SRV records for the LDAP server (in order to determine which directory server to contact) only in the local host's current DNS domain. As a consequence, nslcd could not search for an LDAP server in a different domain. With this update, the DNS domain which is used in the lookup can now be specified by providing a value in the form "DNS:domainname".
All users of nss-pam-ldapd are advised to upgrade to this updated package, which fixes these bugs and adds this enhancement.
An updated nss-pam-ldapd package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The nss-pam-ldapd provides the nss-pam-ldapd daemon (nslcd) which uses a directory server to look up name service information on behalf of a lightweight nsswitch module.
- Previously, the nslcd daemon performed the idle time expiration check for the LDAP connection before starting an LDAP search operation. On a lossy network or if the LDAP server was under a heavy load, a connection could time out after a successful check and the search operation then failed. With this update, the idle time expiration test is now performed during the LDAP search operation so that the connection now no longer expires under these circumstances.
All users of nss-pam-ldapd are advised to upgrade to this updated package, which fixes this bug.