Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1701092
Description of problem: A device I have only does LDAP auth to Active Directory. Therefore I have configured the PAM passthru plugin and addn plugin to dirsrv. I then setup pam to use pam_radius_auth, but I don't think that is required to reproduce this. If an attempt is made to bind to a dn that doesn't exist, ns-slapd segfaults: kernel: ns-slapd[26414]: segfault at 0 ip 00007ff0e692a91d sp 00007ff0d12df6c0 error 4 in libpam-passthru-plugin.so[7ff0e6925000+8000] Version-Release number of selected component (if applicable): 389-ds-base-1.3.8.4-23.el7.x86_64 How reproducible: 100% once minimal configuration made on fresh install of ipa-server with 389-ds-base. Steps to Reproduce: 1. configure addn plugin per https://www.port389.org/docs/389ds/howto/howto-addn.html 2. configure pam passthru per https://directory.fedoraproject.org/docs/389ds/ho wto/howto-pam-pass-through.html 3. attempt to ldapsearch -D 'bob@example.com' (or any nonexistant user) Actual results: ldapsearch fails that server is unavailable Expected results: query results. Additional info: gdb output -- Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffd1988700 (LWP 27086)] 0x00007fffe5fd091d in pam_passthru_bindpreop (pb=0x5555572f9980) at ldap/servers/plugins/pam_passthru/pam_ptpreop.c:439 439 if ((method != LDAP_AUTH_SIMPLE) || (*normbinddn == '\0') || the non-pam ldap/servers/plugins/passthru/ptpreop.c does this: 121 normbinddn = slapi_sdn_get_dn(sdn); 122 if (normbinddn == NULL) { 123 normbinddn = ""; 124 } but looks like pam_passthru has no NULL check. I am so far successful using this patch: [root@kdc1 SOURCES]# cat 0024-Fix-pam-passthrough.patch diff -ru a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c --- a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c 2018-06-21 12:55:37.000000000 -0400 +++ b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c 2019-04-17 22:55:25.847280405 -0400 @@ -436,8 +436,8 @@ * We only handle simple bind requests that include non-NULL binddn and * credentials. Let the Directory Server itself handle everything else. */ - if ((method != LDAP_AUTH_SIMPLE) || (*normbinddn == '\0') || - (creds->bv_len == 0)) { + if ((method != LDAP_AUTH_SIMPLE) || (normbinddn == NULL) || + (*normbinddn == '\0') || (creds->bv_len == 0)) { slapi_log_err(SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "pam_passthru_bindpreop - Not handled (not simple bind or NULL dn/credentials)\n"); return retcode;
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1701092
Metadata Update from @mreynolds: - Issue assigned to mreynolds
f2c63bc..0935b8a master -> master
7c71e76..f76845f 389-ds-base-1.4.0 -> 389-ds-base-1.4.0
661ce15..8b279b4 389-ds-base-1.3.9 -> 389-ds-base-1.3.9
bbfad17..1b17bee 389-ds-base-1.3.8 -> 389-ds-base-1.3.8
Metadata Update from @mreynolds: - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @vashirov: - Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/3454
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.