Project

General

Profile

Actions

Bug #12236

closed

getmembers_DN doesn't properly handle errors from __ns_ldap_dn2uid

Added by Jason King almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
lib - userland libraries
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Helping sjorge on irc with some ldap group issues (where groups weren't showing up), we discovered the following:

  3  90236          __ns_ldap_dn2uid:return                 2
  3  90229             getmembers_DN:return                 2
  3  90245       _nss_ldap_group2str:return                 2

Note that __ns_ldap_dn2uid returns a value from enum ns_ldap_return_code. In this case 2 is equal to NS_LDAP_NOTFOUND which seems reasonable. However, getmembers_DN should return one of: NSS_STR_PARSE_SUCCESS, NSS_STR_PARSE_PARSE, NSS_STR_PARSE_ERANGE. There seems to be two issues here:

  1. The return value of __ns_ldap_dn2uid should be mapped to one of the NSS_STR_ values before getmembers_DN returns
  2. It seems likely that since the existing code in getmembers_DN appears to just ignore errors from __ns_ldap_dn2uid that at least some errors that are ignored should also reset the value of nss_result. Possibly, getmembers_DN might also instead be a void function if no errors are intended to be returned.

Related issues

Related to illumos gate - Bug #12240: nss_ldap does not properly look up group members by distinguished nameClosed

Actions
Actions

Also available in: Atom PDF