Re: Return value of ldap_result() not compared to LDAP_RES_BIND?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Return value of ldap_result() not compared to LDAP_RES_BIND?
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Felix Fontein <felix [at] fontein.de>, nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Return value of ldap_result() not compared to LDAP_RES_BIND?
- Date: Fri, 11 Sep 2020 21:04:50 +0200
Hi Felix,
Thanks for your detailed report.
On Fri, 2020-09-11 at 11:16 +0200, Felix Fontein wrote:
> So rc == LDAP_RES_BIND, but the code checks for LDAP_SUCCESS (which
> is 0). Which obviously won't match.
>
> I've tentatively changed the if condition to
>
> if (rc != LDAP_SUCCESS && rc != LDAP_RES_BIND)
>
> and with that was successfully able to log in.
>
> Now I'm wondering why the code looks as-is, especially since it has
> been in that form for many years now. Is the current code known to
> work in some cases? Or did ldap_result (breakingly) changed over
> time?
There was a bug in the code and it should only have been triggered
if the pam_authc_ppolicy is set to no which is apparently uncommon.
The underlying problem is that rc is first set as the result of
the ldap_result() operation (which returns LDAP_RES_...) but later is
expected to be that of a normal LDAP rc (e.g. LDAP_SUCCESS,
LDAP_LOCAL_ERROR, LDAP_INVALID_CREDENTIALS, etc.). If pam_authc_ppolicy
is set to "no" the part of the code that gets the actual result of the
BIND operation (via ldap_parse_result()) was not called resulting in
this error.
This is fixed in:
https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=37a00e9
It's been a while since a bug in nss-pam-ldapd showed up ;)
Thanks,
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
