From 20b078dd82b1f7eea39a30c9622e520511aa5dbc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:42:57 +0000 Subject: import nss-pam-ldapd-0.8.13-16.el7 --- diff --git a/SOURCES/nslcd.service b/SOURCES/nslcd.service index a490f4a..61ae1fd 100644 --- a/SOURCES/nslcd.service +++ b/SOURCES/nslcd.service @@ -1,11 +1,14 @@ [Unit] Description=Naming services LDAP client daemon. After=syslog.target network.target named.service dirsrv.target slapd.service +Documentation=man:nslcd(8) man:nslcd.conf(5) [Service] Type=forking PIDFile=/var/run/nslcd/nslcd.pid ExecStart=/usr/sbin/nslcd +RestartSec=10s +Restart=on-failure [Install] WantedBy=multi-user.target diff --git a/SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch b/SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch new file mode 100644 index 0000000..1663ee1 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch @@ -0,0 +1,12 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/pam.c.str_cmp nss-pam-ldapd-0.8.13/nslcd/pam.c +--- nss-pam-ldapd-0.8.13/nslcd/pam.c.str_cmp 2017-10-23 21:18:19.867943857 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/pam.c 2017-10-23 21:18:35.935986527 +0200 +@@ -133,7 +133,7 @@ static void update_username(MYLDAP_ENTRY + return; + } + /* check if the username is different and update it if needed */ +- if (strcmp(username,value)!=0) ++ if (STR_CMP(username,value)!=0) + { + log_log(LOG_INFO,"username changed from \"%s\" to \"%s\"",username,value); + strcpy(username,value); diff --git a/SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch b/SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch new file mode 100644 index 0000000..be7a3b4 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch @@ -0,0 +1,17 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/myldap.c.avoid_lockout_on_bad_password nss-pam-ldapd-0.8.13/nslcd/myldap.c +--- nss-pam-ldapd-0.8.13/nslcd/myldap.c.avoid_lockout_on_bad_password 2017-10-24 12:04:22.275105596 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/myldap.c 2017-10-24 12:04:39.355175121 +0200 +@@ -967,6 +967,13 @@ static int do_retry_search(MYLDAP_SEARCH + /* try to start the search */ + pthread_mutex_unlock(&uris_mutex); + rc=do_try_search(search); ++ /* if we are authenticating a user and get an error regarding failed ++ password we should error out instead of trying all servers */ ++ if ((search->session->binddn[0] != '\0') && (rc == LDAP_INVALID_CREDENTIALS)) ++ { ++ do_close(search->session); ++ return rc; ++ } + if (rc==LDAP_SUCCESS) + { + pthread_mutex_lock(&uris_mutex); diff --git a/SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch b/SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch new file mode 100644 index 0000000..8d6ee6f --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch @@ -0,0 +1,35 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/myldap.c.long_password nss-pam-ldapd-0.8.13/nslcd/myldap.c +--- nss-pam-ldapd-0.8.13/nslcd/myldap.c.long_password 2017-10-24 12:38:29.315411416 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/myldap.c 2017-10-24 12:38:52.727517587 +0200 +@@ -88,7 +88,7 @@ struct ldap_session + /* the username to bind with */ + char binddn[256]; + /* the password to bind with if any */ +- char bindpw[64]; ++ char bindpw[128]; + /* timestamp of last activity */ + time_t lastactivity; + /* index into ldc_uris: currently connected LDAP uri */ +diff -up nss-pam-ldapd-0.8.13/nslcd/pam.c.long_password nss-pam-ldapd-0.8.13/nslcd/pam.c +--- nss-pam-ldapd-0.8.13/nslcd/pam.c.long_password 2017-10-24 12:39:50.761780765 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/pam.c 2017-10-24 12:41:15.083163153 +0200 +@@ -246,7 +246,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SES + int rc; + char username[256]; + char servicename[64]; +- char password[64]; ++ char password[128]; + const char *userdn; + MYLDAP_ENTRY *entry; + int authzrc=NSLCD_PAM_SUCCESS; +@@ -617,8 +617,8 @@ int nslcd_pam_pwmod(TFILE *fp,MYLDAP_SES + char userdn[256]; + int asroot; + char servicename[64]; +- char oldpassword[64]; +- char newpassword[64]; ++ char oldpassword[128]; ++ char newpassword[128]; + const char *binddn=NULL; /* the user performing the modification */ + MYLDAP_ENTRY *entry; + char authzmsg[1024]; diff --git a/SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch b/SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch new file mode 100644 index 0000000..b7557b2 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch @@ -0,0 +1,98 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/group.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/group.c +--- nss-pam-ldapd-0.8.13/nslcd/group.c.uid_formatting 2013-02-23 22:24:00.000000000 +0100 ++++ nss-pam-ldapd-0.8.13/nslcd/group.c 2017-10-24 14:17:27.489696761 +0200 +@@ -109,10 +109,8 @@ static int mkfilter_group_bygid(gid_t gi + } + else + { +- return mysnprintf(buffer,buflen, +- "(&%s(%s=%d))", +- group_filter, +- attmap_group_gidNumber,(int)gid); ++ return mysnprintf(buffer,buflen,"(&%s(%s=%lu))", ++ group_filter,attmap_group_gidNumber,(unsigned long int)gid); + } + } + +diff -up nss-pam-ldapd-0.8.13/nslcd/nslcd.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/nslcd.c +--- nss-pam-ldapd-0.8.13/nslcd/nslcd.c.uid_formatting 2017-10-24 14:17:05.117590857 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/nslcd.c 2017-10-24 14:17:27.490696766 +0200 +@@ -402,8 +402,8 @@ static void handleconnection(int sock,MY + if (getpeercred(sock,&uid,&gid,&pid)) + log_log(LOG_DEBUG,"connection from unknown client: %s",strerror(errno)); + else +- log_log(LOG_DEBUG,"connection from pid=%d uid=%d gid=%d", +- (int)pid,(int)uid,(int)gid); ++ log_log(LOG_DEBUG,"connection from pid=%lu uid=%lu gid=%lu", ++ (unsigned long int)pid,(unsigned long int)uid,(unsigned long int)gid); + /* create a stream object */ + if ((fp=tio_fdopen(sock,READ_TIMEOUT,WRITE_TIMEOUT, + READBUFFER_MINSIZE,READBUFFER_MAXSIZE, +@@ -519,7 +519,7 @@ static void create_pidfile(const char *f + log_log(LOG_ERR,"cannot truncate pid file (%s): %s",filename,strerror(errno)); + exit(EXIT_FAILURE); + } +- mysnprintf(buffer,sizeof(buffer),"%d\n",(int)getpid()); ++ mysnprintf(buffer,sizeof(buffer),"%lu\n",(unsigned long int)getpid()); + if (write(fd,buffer,strlen(buffer))!=(int)strlen(buffer)) + { + log_log(LOG_ERR,"error writing pid file (%s): %s",filename,strerror(errno)); +@@ -755,11 +755,11 @@ int main(int argc,char *argv[]) + #ifdef HAVE_INITGROUPS + /* load supplementary groups */ + if (initgroups(nslcd_cfg->ldc_uidname,nslcd_cfg->ldc_gid)<0) +- log_log(LOG_WARNING,"cannot initgroups(\"%s\",%d) (ignored): %s", +- nslcd_cfg->ldc_uidname,(int)nslcd_cfg->ldc_gid,strerror(errno)); ++ log_log(LOG_WARNING,"cannot initgroups(\"%s\",%lu) (ignored): %s", ++ nslcd_cfg->ldc_uidname,(unsigned long int)nslcd_cfg->ldc_gid,strerror(errno)); + else +- log_log(LOG_DEBUG,"initgroups(\"%s\",%d) done", +- nslcd_cfg->ldc_uidname,(int)nslcd_cfg->ldc_gid); ++ log_log(LOG_DEBUG,"initgroups(\"%s\",%lu) done", ++ nslcd_cfg->ldc_uidname,(unsigned long int)nslcd_cfg->ldc_gid); + #else /* not HAVE_INITGROUPS */ + #ifdef HAVE_SETGROUPS + /* just drop all supplemental groups */ +@@ -777,20 +777,22 @@ int main(int argc,char *argv[]) + { + if (setgid(nslcd_cfg->ldc_gid)!=0) + { +- log_log(LOG_ERR,"cannot setgid(%d): %s",(int)nslcd_cfg->ldc_gid,strerror(errno)); ++ log_log(LOG_ERR,"cannot setgid(%lu): %s", ++ (unsigned long int)nslcd_cfg->ldc_gid,strerror(errno)); + exit(EXIT_FAILURE); + } +- log_log(LOG_DEBUG,"setgid(%d) done",(int)nslcd_cfg->ldc_gid); ++ log_log(LOG_DEBUG,"setgid(%lu) done",(unsigned long int)nslcd_cfg->ldc_gid); + } + /* change to nslcd uid */ + if (nslcd_cfg->ldc_uid!=NOUID) + { + if (setuid(nslcd_cfg->ldc_uid)!=0) + { +- log_log(LOG_ERR,"cannot setuid(%d): %s",(int)nslcd_cfg->ldc_uid,strerror(errno)); ++ log_log(LOG_ERR,"cannot setuid(%lu): %s", ++ (unsigned long int)nslcd_cfg->ldc_uid,strerror(errno)); + exit(EXIT_FAILURE); + } +- log_log(LOG_DEBUG,"setuid(%d) done",(int)nslcd_cfg->ldc_uid); ++ log_log(LOG_DEBUG,"setuid(%lu) done",(unsigned long int)nslcd_cfg->ldc_uid); + } + /* block all these signals so our worker threads won't handle them */ + sigemptyset(&signalmask); +diff -up nss-pam-ldapd-0.8.13/nslcd/passwd.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/passwd.c +--- nss-pam-ldapd-0.8.13/nslcd/passwd.c.uid_formatting 2013-02-23 22:24:00.000000000 +0100 ++++ nss-pam-ldapd-0.8.13/nslcd/passwd.c 2017-10-24 14:17:27.490696766 +0200 +@@ -115,10 +115,8 @@ static int mkfilter_passwd_byuid(uid_t u + } + else + { +- return mysnprintf(buffer,buflen, +- "(&%s(%s=%d))", +- passwd_filter, +- attmap_passwd_uidNumber,(int)uid); ++ return mysnprintf(buffer,buflen, "(&%s(%s=%lu))", ++ passwd_filter,attmap_passwd_uidNumber,(unsigned long int)uid); + } + } + diff --git a/SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch b/SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch new file mode 100644 index 0000000..f0dacb4 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch @@ -0,0 +1,24 @@ +diff -up nss-pam-ldapd-0.8.13/man/nslcd.conf.5.uri_list nss-pam-ldapd-0.8.13/man/nslcd.conf.5 +--- nss-pam-ldapd-0.8.13/man/nslcd.conf.5.uri_list 2017-10-24 14:08:54.429271306 +0200 ++++ nss-pam-ldapd-0.8.13/man/nslcd.conf.5 2017-10-24 14:09:31.691444445 +0200 +@@ -46,7 +46,7 @@ Note that you should use values that don + to resolve. + .SS "GENERAL CONNECTION OPTIONS" + .TP +-\*(T<\fBuri\fR\*(T> \fIURI\fR ++\*(T<\fBuri\fR\*(T> \fIURI\fR ... + Specifies the LDAP URI of the + server to connect to. + The URI scheme may be \*(T, +@@ -66,8 +66,9 @@ When using the ldapi scheme, %2f should + (e.g. ldapi://%2fvar%2frun%2fslapd%2fldapi/), although most of the + time this should not be needed. + +-This option may be specified multiple times. Normally, only the first +-server will be used with the following servers as fall-back (see ++This option may be specified multiple times and/or with more URIs on the ++line, separated by space. Normally, only the first server will be used ++with the following servers as fall-back (see + \*(T<\fBbind_timelimit\fR\*(T> below). + + If LDAP lookups are used for host name resolution, diff --git a/SOURCES/nss-pam-ldapd-exitcode.patch b/SOURCES/nss-pam-ldapd-exitcode.patch new file mode 100644 index 0000000..2b4f8fa --- /dev/null +++ b/SOURCES/nss-pam-ldapd-exitcode.patch @@ -0,0 +1,10 @@ +diff -up nss-pam-ldapd-0.8.14/nslcd/nslcd.c.retcode nss-pam-ldapd-0.8.14/nslcd/nslcd.c +--- nss-pam-ldapd-0.8.14/nslcd/nslcd.c.retcode 2017-02-08 09:52:39.687834074 +0100 ++++ nss-pam-ldapd-0.8.14/nslcd/nslcd.c 2017-02-08 09:52:54.630891580 +0100 +@@ -866,5 +866,5 @@ int main(int argc,char *argv[]) + log_log(LOG_ERR,"thread %d is still running, shutting down anyway",i); + } + /* we're done */ +- return EXIT_FAILURE; ++ return EXIT_SUCCESS; + } diff --git a/SPECS/nss-pam-ldapd.spec b/SPECS/nss-pam-ldapd.spec index 72aa77f..e6e0844 100644 --- a/SPECS/nss-pam-ldapd.spec +++ b/SPECS/nss-pam-ldapd.spec @@ -39,7 +39,7 @@ Name: nss-pam-ldapd Version: 0.8.13 -Release: 8%{?dist} +Release: 16%{?dist} Summary: An nsswitch module which uses directory servers Group: System Environment/Base License: LGPLv2+ @@ -57,6 +57,12 @@ Patch5: nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-Joh Patch6: nss-pam-ldapd-rh-msgs-in-tests.patch Patch7: nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch Patch8: nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch +Patch9: nss-pam-ldapd-exitcode.patch +Patch10: nss-pam-ldapd-0.8.12-str-cmp.patch +Patch11: nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch +Patch12: nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch +Patch13: nss-pam-ldapd-0.8.13-uri-man-fix.patch +Patch14: nss-pam-ldapd-0.8.13-uid_formatting.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openldap-devel, krb5-devel @@ -112,6 +118,12 @@ nsswitch module. %patch6 -p1 -b .test_msgs %patch7 -p1 -b .use_after_free %patch8 -p1 -b .errnop_val +%patch9 -p1 -b .exit_code +%patch10 -p1 -b .str_cmp +%patch11 -p1 -b .avoid_lockout_on_bad_password +%patch12 -p1 -b .long_password +%patch13 -p1 -b .uri_list +%patch14 -p1 -b .uid_formatting autoreconf -f -i %build @@ -162,8 +174,8 @@ $RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf touch -r nslcd.conf $RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf mkdir -p -m 0755 $RPM_BUILD_ROOT/var/run/nslcd %if %{tmpfiles} -mkdir -p -m 0755 $RPM_BUILD_ROOT/etc/tmpfiles.d -install -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/tmpfiles.d/%{name}.conf +mkdir -p -m 0755 $RPM_BUILD_ROOT/%{_tmpfilesdir} +install -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_tmpfilesdir}/%{name}.conf %endif %clean @@ -180,7 +192,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/*/* %attr(0600,root,root) %config(noreplace) %verify(not md5 size mtime) /etc/nslcd.conf %if %{tmpfiles} -%attr(0644,root,root) %config(noreplace) /etc/tmpfiles.d/%{name}.conf +%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/%{name}.conf %endif %if %{sysvinit} %attr(0755,root,root) %{_initddir}/nslcd @@ -348,6 +360,40 @@ exit 0 %endif %changelog +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-16 +- Resolves: rhbz#1151675 - NSLCD WRAPS LDAP USER UIDNUMBER > 2^31 SO UID + IS WRONG (AND A NEGATIVE NUMBER) + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-15 +- Resolves: rhbz#1204202 - fix doc to describe actual uri format in + nslcd.conf + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-14 +- Resolves: rhbz#1288429 - /etc/tmpfiles.d/nss-pam-ldapd.conf shipped when + /etc/tmpfiles.d is reserved for the local + administrator + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-13 +- Resolves: rhbz#1312297 - nslcd.service does not restart on failure + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-12 +- Resolves: rhbz#1425790 - Unable to authenticate with 64 character password + using nss-pam-ldapd + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-11 +- Resolves: rhbz#1497761 - Incorrect password tries to bind to all domain + controllers and locks user out + +* Mon Oct 23 2017 Jakub Hrozek - 0.8.13-10 +- Resolves: rhbz#1357493 - In RHEL 7, authentication failing when using + nslcd + pam_ldap where user has different in + nis/passwd and ldap. + +* Mon Oct 23 2017 Jakub Hrozek - 0.8.13-9 +- Resolves: rhbz#1420576 - 'systemctl status nslcd' always returns FAILURE + status even though the service is stopped with + 'systemctl stop nslcd + * Wed Jan 29 2014 Jakub Hrozek 0.8.13-8 - Fix a potential use-after-free in nsswitch module - Resolves: rhbz#1036030 - New defect found in nss-pam-ldapd-0.8.13-4.el7