7.165. openldap

Updated openldap packages that fix multiple bugs and add an enhancement are now available for Red Hat Enterprise Linux 6.
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.

Bug Fixes

BZ#820278
When the smbk5pwd overlay was enabled in an OpenLDAP server and a user changed their password, the Microsoft NT LAN Manager (NTLM) and Microsoft LAN Manager (LM) hashes were not computed correctly. Consequently, the sambaLMPassword and sambaNTPassword attributes were updated with incorrect values, preventing the user from logging in using a Windows-based client or a Samba client. With this update, the smbk5pwd overlay is linked against OpenSSL. As such, the NTLM and LM hashes are computed correctly and password changes work as expected when using smbk5pwd.
BZ#857390
If the TLS_CACERTDIR configuration option used a prefix, which specified a Mozilla NSS database type, such as sql:, and when a TLS operation was requested, the certificate database failed to open. This update provides a patch, which removes the database type prefix when checking the existence of a directory with certificate database, and the certificate database is now successfully opened even if the database type prefix is used.
BZ#829319
When a file containing a password was provided to open a database without user interaction, a piece of unallocated memory could be read and be mistaken to contain a password, leading to the connection to become unresponsive. A patch has been applied to correctly allocate the memory for the password file and the connection no longer hangs in the described scenario.
BZ#818572
When a TLS connection to an LDAP server was established, used, and then correctly terminated, the order of the internal TLS shutdown operations was incorrect. Consequently, unexpected terminations and other issues could occur in the underlying cryptographic library (Mozilla NSS). A patch has been provided to reorder the operations performed when closing the connection. Now, the order of TLS shutdown operations matches the Mozilla NSS documentation, thus fixing this bug.
BZ#859858
When TLS was configured to use a certificate from a PEM file while TLS_CACERTDIR was set to use a Mozilla NSS certificate database, the PEM certificate failed to load. With this update, the certificate is first looked up in the Mozilla NSS certificate database and if not found, the PEM file is used as a fallback. As a result, PEM certificates are now properly loaded in the described scenario.
BZ#707599
The OpenLDAP server could be configured for replication with TLS enabled for both accepting connections from remote peers and for TLS client authentication to the other replicas. When different TLS configuration was used for server and for connecting to replicas, a connection to a replica could fail due to TLS certificate lookup errors or due to unknown PKCS#11 TLS errors. This update provides a set of patches, which makes multiple TLS LDAP contexts within one process possible without affecting the others. As a result, OpenLDAP replication works properly in the described scenario.
BZ#811468
When the CA (Certificate Authority) certificate directory hashed via OpenSSL was configured to be used as a source of trusted CA certificates, the libldap library incorrectly expected that filenames of all hashed certificates end with the .0 suffix. Consequently, even though any numeric suffix is allowed, only certificates with .0 suffix were loaded. This update provides a patch that properly checks filenames in OpenSSL CA certificate directory and now all certificates that are allowed to be in that directory are loaded with libldap as expected.
BZ#843056
When multiple LDAP servers were specified with TLS enabled and a connection to a server failed because the host name did not match the name in the certificate, fallback to another server was performed. However, the fallback connection became unresponsive during the TLS handshake. This update provides a patch that re-creates internal structures, which handle the connection state, and the fallback connection no longer hangs in the described scenario.
BZ#864913
When the OpenLDAP server was configured to use the rwm overlay and a client sent the modrdn operation, which included the newsuperior attribute matching the current superior attribute of the entry being modified, the slapd server terminated unexpectedly with a segmentation fault. With this update, slapd is prevented from accessing uninitialized memory in the described scenario, the crashes no longer occur, and the client operation now finishes successfully.
BZ#828787
When a self-signed certificate without Basic Constraint Extension (BCE) was used as a server TLS certificate and the TLS client was configured to ignore any TLS certificate validation errors, the client could not connect to the server and an incorrect message about missing BCE was returned. This update provides a patch to preserve the original TLS certificate validation error if BCE is not found in the certificate. As a result, clients can connect to the server, proper error messages about untrusted certification authority which signed the server certificate are returned, and the connection continues as expected.
BZ#821848
When the slapd server configuration database (cn=config) was configured with replication in mirror mode and the replication configuration (olcSyncrepl) was changed, the cn=config database was silently removed from mirror mode and could not be futher modified without restarting the slapd daemon. With this update, changes in replication configuration are properly handled so that the state of mirror mode is now properly preserved and the cn=config database can be modified in the described scenario.
BZ#835012
Previously, the OpenLDAP library looked up for an AAAA (IPv6) DNS record while resolving the server IP address even if IPv6 was disabled on the host, which could cause extra delays when connecting. With this update, the AI_ADDRCONFIG flag is set when resolving the remote host address. As a result, the OpenLDAP library no longer looks up for the AAAA DNS record when resolving the server IP address and IPv6 is disabled on the local system.

Enhancements

BZ#852339
When libldap was configured to use TLS, not all TLS ciphers supported by the Mozilla NSS library could be used. This update provides all missing ciphers supported by Mozilla NSS to the internal list of ciphers in libldap, thus improving libldap security capabilities.
Users of openldap are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.