Re: Return value of ldap_result() not compared to LDAP_RES_BIND?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Return value of ldap_result() not compared to LDAP_RES_BIND?
- From: Felix Fontein <felix [at] fontein.de>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Return value of ldap_result() not compared to LDAP_RES_BIND?
- Date: Fri, 11 Sep 2020 21:28:12 +0200
Hi Arthur,
thanks for your quick reply and patch! I've just compiled nslcd with
your patch (after stashing my change) and tested it, it still works for
me!
> There was a bug in the code and it should only have been triggered
> if the pam_authc_ppolicy is set to no which is apparently uncommon.
I indeed set `pam_authc_ppolicy` to `no` to get rid of the warnings in
OpenLDAP - I now saw that there are similar bug reports
(https://lists.arthurdejong.org/nss-pam-ldapd-users/2020/msg00018.html,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900253) where a
workaround seems to be to (re-)enable `pam_authc_ppolicy`. Maybe these
cases are now fixed as well.
> The underlying problem is that rc is first set as the result of
> the ldap_result() operation (which returns LDAP_RES_...) but later is
> expected to be that of a normal LDAP rc (e.g. LDAP_SUCCESS,
> LDAP_LOCAL_ERROR, LDAP_INVALID_CREDENTIALS, etc.). If
> pam_authc_ppolicy is set to "no" the part of the code that gets the
> actual result of the BIND operation (via ldap_parse_result()) was not
> called resulting in this error.
That skipped code was the code I left out in the [...] ;-)
> It's been a while since a bug in nss-pam-ldapd showed up ;)
Indeed, I also noticed that this part of the code didn't change for
quite some time :)
Thanks a lot and have a great weekend,
Felix
