#50396 segfault when using pam passthru and addn plugins together
Closed: fixed a year ago by mreynolds. Opened a year ago by mreynolds.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1701092

Description of problem:

A device I have only does LDAP auth to Active Directory. Therefore I have
configured the PAM passthru plugin and addn plugin to dirsrv. I then setup pam
to use pam_radius_auth, but I don't think that is required to reproduce this.
If an attempt is made to bind to a dn that doesn't exist, ns-slapd segfaults:

kernel: ns-slapd[26414]: segfault at 0 ip 00007ff0e692a91d sp 00007ff0d12df6c0
error 4 in libpam-passthru-plugin.so[7ff0e6925000+8000]

Version-Release number of selected component (if applicable):


How reproducible:

100% once minimal configuration made on fresh install of ipa-server with

Steps to Reproduce:
1. configure addn plugin per
2. configure pam passthru per https://directory.fedoraproject.org/docs/389ds/ho
3. attempt to ldapsearch -D 'bob@example.com' (or any nonexistant user)

Actual results:
ldapsearch fails that server is unavailable

Expected results:
query results.

Additional info:

gdb output --

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd1988700 (LWP 27086)]
0x00007fffe5fd091d in pam_passthru_bindpreop (pb=0x5555572f9980) at
439         if ((method != LDAP_AUTH_SIMPLE) || (*normbinddn == '\0') ||

the non-pam ldap/servers/plugins/passthru/ptpreop.c does this:

   121      normbinddn = slapi_sdn_get_dn(sdn);
   122      if (normbinddn == NULL) {
   123          normbinddn = "";
   124      }

but looks like pam_passthru has no NULL check. I am so far successful using
this patch:

[root@kdc1 SOURCES]# cat 0024-Fix-pam-passthrough.patch
diff -ru a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
--- a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c   2018-06-21
12:55:37.000000000 -0400
+++ b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c   2019-04-17
22:55:25.847280405 -0400
@@ -436,8 +436,8 @@
      * We only handle simple bind requests that include non-NULL binddn and
      * credentials.  Let the Directory Server itself handle everything else.
-    if ((method != LDAP_AUTH_SIMPLE) || (*normbinddn == '\0') ||
-        (creds->bv_len == 0)) {
+    if ((method != LDAP_AUTH_SIMPLE) || (normbinddn == NULL) ||
+        (*normbinddn == '\0') || (creds->bv_len == 0)) {
                       "pam_passthru_bindpreop - Not handled (not simple bind
or NULL dn/credentials)\n");
         return retcode;

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1701092

a year ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

a year ago

f2c63bc..0935b8a master -> master

7c71e76..f76845f 389-ds-base-1.4.0 -> 389-ds-base-1.4.0

661ce15..8b279b4 389-ds-base-1.3.9 -> 389-ds-base-1.3.9

bbfad17..1b17bee 389-ds-base-1.3.8 -> 389-ds-base-1.3.8

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata Update from @vashirov:
- Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)

6 months ago

Login to comment on this ticket.

Related Pull Requests
  • #50460 Last updated a month ago