Patch-ID# 114242-22 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** Keywords: security nsswitch ldap domainname sigbus init ldapclient ssd Synopsis: SunOS 5.9_x86: ldap library Patch Date: Mar/13/2006 Install Requirements: See Special Install Instructions Reboot immediately after patch is installed Install in Single User Mode Solaris Release: 9_x86 SunOS Release: 5.9_x86 Unbundled Product: Unbundled Release: Xref: This patch available for SPARC as patch 112960 Topic: SunOS 5.9_x86: ldap library Patch Relevant Architectures: i386 BugId's fixed with this patch: 4523936 4624458 4626861 4658569 4688752 4698366 4698379 4698387 4702568 4720818 4723361 4743707 4746114 4747441 4751394 4754634 4755582 4756193 4757282 4765506 4768140 4774607 4776571 4779333 4780109 4784324 4787488 4791006 4793719 4802414 4805635 4830406 4873939 4874749 4877796 4887906 4890233 4890303 4894518 4894583 4913437 4920444 4977110 4980441 4988859 5003953 5005602 5007891 5012514 5014922 5014993 5022076 5044522 5047250 5055748 5067333 5096736 6219143 6226776 6232564 6232579 6262121 6262153 6276525 Changes incorporated in this version: 4756193 4894518 Patches accumulated and obsoleted by this patch: 114241-15 116524-01 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /usr/bin/passwd /usr/include/ldap.h /usr/lib/abi/abi_libldap.so.5 /usr/lib/abi/abi_libsldap.so.1 /usr/lib/ldap/ldap_cachemgr /usr/lib/libldap.so.4 /usr/lib/libldap.so.5 /usr/lib/libpam.so.1 /usr/lib/libsldap.so.1 /usr/lib/llib-lldap /usr/lib/llib-lldap.ln /usr/lib/llib-lpasswdutil /usr/lib/llib-lpasswdutil.ln /usr/lib/llib-lsldap /usr/lib/llib-lsldap.ln /usr/lib/passwdutil.so.1 /usr/lib/security/pam_authtok_check.so.1 /usr/lib/security/pam_authtok_get.so.1 /usr/lib/security/pam_authtok_store.so.1 /usr/lib/security/pam_dhkeys.so.1 /usr/lib/security/pam_ldap.so.1 /usr/lib/security/pam_passwd_auth.so.1 /usr/sbin/ldapclient Problem Description: 4756193 ldap_cache_mgr cores 4894518 passwd(1) doesn't allow for setting a non-login account that is not locked (from 114242-21) 4791006 ldap_cachemgr initializes ldap_cache_door file with wrong permissions (from 114242-20) 6226776 The passwd command will fail if first ldap server in referral list is down. 6276525 libldap5 cores when trying to resolve hostname (from 114242-19) 6262121 Solaris 9 & 8 libldap5 crash when compiled with -DDEBUG and using SSL 6262153 Unable to build libldap5 with LDAP_DEBUG defined for Solaris 8 or 9 due to error in request.c (from 114242-18) 4626861 If a search times out, libsldap logs the wrong message 6232564 when interrupted (EINTR) while polling, libsldap should retry the poll 6232579 libldap not handling select() failures when issuing a connection (from 114242-17) 5055748 memory leak in libsldap/sldaputil 5047250 automountd memory-heap is growing on solaris 8 with latest 108993-33 patch (from 114242-16) 4755582 authtok_check: old and new password diff. check should loop through shorter len. (from 114242-15) 5007891 s8 passwd(1) command may SEGV on NIS+ master servers. 5096736 pwd change in NIS+ fails with "Permission denied" if new pwd is longer than 11 bytes (from 114242-14) 4894583 su to a local account will dump core, if LDAP is enabled (from 114242-13) 5044522 Root is able to change user passwd if no of attempts > max_attempts in nis+. (from 114242-12) 5014993 user logins may fail when nsswitch compat mode is used with NIS+ or LDAP (from 114242-11) 4988859 passwd -g, -e, -h cause segfault 5003953 Logins to Solaris 9 NIS+ clients always talk to master even when it is down (from 114242-10) 4913437 Changing password in NIS+ fails on S9 clients with "Permission denied" 5012514 'passwd ' fails as root on NIS+ systems 4980441 PAM module pam_dhkeys fails to retrieve changed credentials (from 114242-09) 4977110 passwd doesn't work with compat entries in /etc/nsswitch.conf (from 114242-08) 4887906 pam_sm_chauthtok() returns 13 (PAM_USER_UNKNOWN) if lastchg=0 for local users (from 114242-07) 4746114 libpam internationalized messages are off by 1 for locale != C 4793719 pam_authtok_check.so.1::circ() too space-conservative 4805635 root may change enduser password in NIS+ without entering its own password 4877796 passwd (passwdutil) inadvertently resets aging information (from 114242-06) 4873939 pam and compat do not work after applying patch 108993-18 (from 114242-05) 4874749 passwd -x modifies the lastchg field also in /etc/shadow file (from 114242-04) 4765506 NIS+ password problems with Solaris 9 4768140 passwd core dumps when changing shell (from 114242-03) 4774607 pam_ldap gets confused when root tries to change user's password (from 114242-02) 4830406 passwdutil is too dumb to handle NIS+ subdomains correctly (from 114242-01) 4743707 non-default nsswitch backends confuse passwdutil.so.1 4747441 pam_authtok_store does not map all the PWU errors to PAM errors 4751394 non decisive modules should not return PAM_SUCCESS 4754634 passwd command seg faults when updating user can't be authenticated to LDAP (from 114241-15) 6219143 LDAP server failover causes client to delete cert7.db file. (from 114241-14) 4688752 "ldapclient mod" with no arguments causes naming services to fail 4698387 "ldapclient manual" results in "__default_config" error message on console. 4698366 "ldapclient list" does not display CACHETTL when it set. 4698379 "ldapclient manual" gets a default CACHETTL of 3600 4702568 "ldapclient uninit" does not restore /etc/.rootkey (from 114241-13) 4784324 ldapaddent: does not function with tls specified 5022076 pam_ldap:pam_sm_acct_mgmt() uses incorrect password in BIND to LDAP (from 114241-12) 5014922 bugfix for 4624458 causes compatibility problems between libsldap and libldap (from 114241-11) 5005602 ldapaddent does not work with iDS 5.2 (from 114241-10) 5067333 S9 needs fix for 5036036 (from 114241-09) 4890303 pam_ldap should return PAM_AUTH_ERROR instead of PAM_PERM_DENIED (from 114241-08) 4920444 libldap.so.4 ber encoding memory corruption (from 114241-07) 4523936 mountd memory leak when using Native LDAP (from 114241-06) 4787488 ldapaddent can only add ethers or bootparams for the same hosts, not both. (from 114241-05) 4779333 ldap get*ent requests may free already freed memory 4780109 __ns_ldap_firstEntry may return a cookie that is freed (from 114241-04) 4802414 Client does not follow referral without hostname. 4658569 Following referrals does not work in all cases (from 114241-03) 4757282 ldapclient init fails with SIGBUS if SSD's are > 15 in profile (from 114241-02) 4624458 if hostname is used in NS_LDAP_SERVERS, ldap goes into loop 4723361 log messages when resolving hostname for ldap_server 4776571 Applications running on SSL enabled native ldap clients may crash at termination (from 114241-01) 4720818 LDAP naming services fail when domainname is greater than 23 characters (from 116524-01) 4890233 using 'use_first_pass' for pam_ldap does not work Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-10 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- Reboot the system after patch installation. NOTE 1: To get the complete fix for the bug 4765506 (NIS+ password problems with Solaris 9), please also install the following patch: 113719-08 (or greater) rpc.nispasswdd patch NOTE 2: Migrating Your Sun Java System Directory Server: Schema changes were implemented between the release of Sun Java System (formerly Sun ONE) Directory Server 5.1 and the release of Directory Server 5.2. ldapaddent now adds "objectclass: device" to the entries of ethers/bootparams. Therefore, if you choose to use the LDAP commands to migrate directory data from Directory Server 5.1 to 5.2, you must use ldapaddent -d to export data and ldapaddent to import data. Otherwise, if you use the Sun Java System Directory Server tools db2ldif and ldif2db to migrate data, you must apply Directory Server 5.2 with all patches before migrating the data or the data import could fail. README -- Last modified date: Monday, March 13, 2006