RHBA-2011:1705 - Bug Fix Advisory

Topic

An updated nss-pam-ldapd package that fixes multiple bugs and adds one
enhancement is now available for Red Hat Enterprise Linux 6.

[Updated 24 January 2012] This advisory has been updated with the correct
package description in the Details section. The package included in this revised
update has not been changed in any way from the package included in the original
advisory.

Description

The nss-pam-ldapd package provides the nss-pam-ldapd daemon (nslcd) which uses a
directory server to look up name service information on behalf of a lightweight
nsswitch module.

This update fixes the following bugs:

• When the nss-pam-ldapd package was installed, settings for the nslcd daemon

were migrated from the configuration files used by the pam_ldap module or a
previously-installed copy of the nss_ldap package. If the nslcd configuration
file was modified, settings would be migrated again, often with an error. With
this update, the migration is performed only if the package has not been
previously installed. (BZ#706454)

• Prior to this update, when the nslcd daemon retrieved information about a user

or group, the name of the user or group would be checked against the value of
the "validnames" configuration setting. The default value of the setting
expected the names to be at least three characters long, therefore names which
were only two characters long were flagged as invalid. This could have negative
impact on some installations. With this update, the default value of the
"validnames" setting is modified to a minimum of two characters so that short
names are accepted. (BZ#706860)

• Due to the buffer used for the group field of a user password entry being not

big enough, the primary group ID of a user could not be parsed if it contained
more than nine digits. As a consequence, the nslcd daemon could drop some of the
digits. With this update, nslcd is modified to parse large user IDs properly.
(BZ#716822, BZ#720230)

• An incorrect use of the strtol() call could cause large user ID values to

overflow on 32-bit architectures. New functions have been implemented with this
update, so that large user IDs are parsed correctly. (BZ#741362)

This update also provides the following enhancement:

• Previously, if "DNS" was specified as the value of the LDAP "uri" setting in

the /etc/nslcd.conf file, the nslcd service would attempt to look up DNS SRV
records for the LDAP server (in order to determine which directory server to
contact) only in the local host's current DNS domain. As a consequence, nslcd
could not search for an LDAP server in a different domain. With this update, the
DNS domain which is used in the lookup can now be specified by providing a value
in the form "DNS:domainname". (BZ#730309)

All users of nss-pam-ldapd are advised to upgrade to this updated package, which
fixes these bugs and adds this enhancement.

Solution

Before applying this update, make sure all previously-released errata relevant
to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 706454 - upgrade clears config file
• BZ - 706860 - 2 digits login names no seen after upgrading to nss-pam-ldapd-0.7.5-7
• BZ - 720230 - nslcd truncates large gid numbers
• BZ - 737496 - test_common: test_isvalidname failed
• BZ - 741362 - Large UID values can overflow on 32bit architectures

CVEs

(none)

References

(none)