View Issue Details

IDProjectCategoryView StatusLast Update
0018374CentOS-7opensshpublic2021-12-21 14:38
Reporterbartois Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version7.9.2009 
Summary0018374: scope option is overwritten by deref
Descriptionoptions.deref gets never set. Instead options.scope is overwritten in some circumstances. As a result user ssh keys may not be fetched from LDAP server.

Workarounds:

- To have SCOPE option properly set put it before DEREF option or do not use DEREF option in /etc/ssh/ldap.conf .
- Seems to be no workaround to set DEREF option in /etc/ssh/ldap.conf .
Steps To Reproduce1. Set options in the file /etc/ssh/ldap.conf :

SCOPE sub
DEREF always

2. Run:

/usr/libexec/openssh/ssh-ldap-helper -v -v -v -ew -s some_login 2>&1 | egrep -ie 'scope|deref'

Result:

debug3: Scope Sub
debug3: Deref Never
debug3: LDAP set deref to 0
debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=some_login))

3. Swap the order of the mentioned lines in the file /etc/ssh/ldap.conf :

DEREF always
SCOPE sub

4. Run again:

/usr/libexec/openssh/ssh-ldap-helper -v -v -v -ew -s some_login 2>&1 | egrep -ie 'scope|deref'

Result:

debug3: Scope unknown: 3
debug3: Deref Never
debug3: LDAP set deref to 0
debug3: LDAP search scope = 3 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=some_login))
Additional InformationAfter quick look into the code I have located the source of the problem. The bug is in the file openssh-6.6p1-ldap.patch accompanying the SRPM. In the line 1418 (+/-1 one line) we have:

+ case lDeref:
+ intptr = &options.scope;
+ arg = ldap_strdelim(&s);

For correct operation options.deref should be referenced:

+ case lDeref:
+ intptr = &options.deref;
+ arg = ldap_strdelim(&s);
TagsNo tags attached.
abrt_hash
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2021-12-21 14:38 bartois New Issue