[SRU] libnss-ldap for edgy-proposed: Problem with LDAPS

I will assume that you're referring to it hanging inside of glibc...

getent and ldapsearch work; finger and authentication (login, sudo, etc) do not.

This issue is fixed in upstream libnss-ldap 253 with a comment of:
253 Luke Howard <email address hidden>

        * fix crasher if an empty buffer is passed to
          initgroups (glibc NSS only)

Installing 253 fixes the issue here, I'm working on finding and backporting just that patch.

The following patch backports just the changes for version 253, and fixes the issue at least on my system.

can you confirm that it fixes things for you? I can provide a .deb if you want.

This bug appears to be triggered by glibc 2.4, and results in users not being able to login (or much else) on machines where users/groups are stored in ldap. As such, this represents a serious regression from dapper.

The patch looks apropriate. Let's test that in -proposed.

Looks pretty sane to me as well. +1.

The patch also looks sane to me. +1

+1 from me as well

Please go ahead and upload to edgy-proposed. Thanks.

The proposed patch might fix other issues, but it doesn't fix the problem I reported. ;-)

It seems that in versions of nss_ldap >=241, you need to specify the port in the hostname, or use an URI for ldaps to work. The bug is also present in version 253 compiled from source.

If I change my config to: "host 192.168.2.224:636", it works.

I need to find out what changed between 240 and 241... Unfortunately, I can't find version 241 to 243 anywhere, and I'm afraid a diff from 240 and 244 will be quite huge, so it will be hard to fix.

Will report to upstream.

Reported upstream:
http://bugzilla.padl.com/show_bug.cgi?id=303

Accepted into -proposed, please solicit testing as per https://wiki.ubuntu.com/MOTU/SRU

libnss-ldap 251-5.2ubuntu1~proposed in edgy proposed fixed the issue for me.

I am using 251-5.2ubuntu1~proposed, but it doesn't work here.

Works:
When I specify:
 host ldap.host.here:636

Works not:
When I specify:
 host ldap.host here
 port 636
Or:
 uri ldaps://ldap.host.here/

This seems to happen in feisty as well.

Same problem with host/uri in config as well, host works, uri does not.

Going to try and roll back to LTS version to test if the hanging can be resolved as well.

currently testing on libnss-ldap version 251-7.5 on feisty

From an strace that we ran on getent passwd it seemed that the problem might be related to Avahi?

Using the edgy libnss_ldap librarty on feisty works as well :)

Can this be fixed in feisty :)

Cheers

Using the linbss_ldap-2.4 does allow you to auth on feisty .. but seg faults on pretty much everything after that .. so obviously this is not a desirable fix.

Will look into other options to get this working ..

This seemed to have been a faulty install somehow ... reinstall worked as expected without needing any other version of libnnsldap

Is the 253 version in a repo somewhere? I wouldn't mind testing it. Still getting problems similar to bug 51315 with Courier - complaining it can't contact the LDAP server in auth.log.

There seems to be some confusion and one successful test here. If you guys still care about edgy-proposed, please do a followup upload to edgy-updates which drops the ~proposed1 version suffix. If nobody cares any more, I'll just remove the proposed version.

Removed package from edgy-proposed due to inactivity.