Patch Name: PHNE_25779 Patch Description: s700_800 11.X LDAP-UX Integration B.02.00 cumulative patch Creation Date: 02/03/01 Post Date: 02/03/14 Hardware Platforms - OS Releases: s700: 11.00 11.11 s800: 11.00 11.11 Products: LDAP-UX Integration B.02.00 Filesets: LdapUxClient.NATIVELDAP-RUN,fr=B.02.00,fa=HP-UX_B.11.00_32/64,v=HP NisLdapServer.YPLDAP-SERVER,fr=B.02.00,fa=HP-UX_B.11.00_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: Yes PHNE_25779: MEMORY_LEAK Memory leaks when ypldapd finds uid for DN. Category Tags: defect_repair general_release critical memory_leak Path Name: /hp-ux_patches/s700_800/11.X/PHNE_25779 Symptoms: PHNE_25779: 1. JAGad89180:"Expired password support in PAM_LDAP" Users with expired passwords in LDAP are not able to change their password with iDS 5.0. Changing the password of an account with an expired password with "passwd" command will also fail with iDS 5.0. 2. JAGad84996:"Memory leaks when ypldapd finds uid for DN" The ypldapd daemon died. The resulting syslog message is as follows: "ypldapd [2809]: xdrrec_create: out of memory." 3. JAGad91124:"Make DN to uid cache flush time configurable" When the posixGroup contains members defined using the X.500 syntax (and thus a group member is identified with a DN), group retrieval may take an excessive amount of time, especially when the cache has just been flushed. 4. JAGad89478: "ypldapd is out of memory due to too many STATEs" ypldapd can hang or crash when it runs out of memory. 5. JAGae02984:"ypldapd cored" ypldapd cored after running a period of time. Defect Description: PHNE_25779: 1. JAGad89180:"Expired password support in PAM_LDAP" In Netscape Directory Server 4.x, the product allowed account entry to do directory searches when PAM_LDAP was authenticated as the entry's representative user and the password had expired. Starting with the iDS 5.0, this user's ability to execute directory searches is no longer available if the password has expired. 2. JAGad84996:"Memory leaks when ypldapd finds uid for DN" This problem occurs when group data is parsed using X.500 syntax. In X.500 syntax, group members are identified using DNs and the ypldapd daemon must query the LDAP server to get the UID for each DN. When this happens, the DN to UID parse routine does not properly release the memory allocated after retrieving the information. This behavior causes the ypldapd daemon to run out of memory. 3. JAGad91124:"Make DN to uid cache flush time configurable" When the posixGroup contains X.500 syntax (each group member is identified with a DN), the ypldapd daemon must query the LDAP server for each group member by its DN to obtain its UID if the UID isn't in the DN to UID cache. This may cause an excessive delay when querying group data using X.500. The new dn2uid_cache_dump_interval parameter in the /opt/ldapux/ypldapd/etc/ypldapd.conf allows you to configure the DN to UID cache flush time. By default the dn2uid_cache_dump_interval value is 1440 minutes. To use this feature, add this parameter along with your preferred parameter value to the /opt/ldapux/ypldapd/etc/ypldapd.conf. Example: dn2uid_cache_dump_interval 120 4. JAGad89478: "ypldapd is out of memory due to too many STATEs" The ypldapd daemon can become overwhelmed by clients that perform many enumeration calls (for example: calling the Getxxent() APIs) If you set the new maxstates parameter in the /opt/ldapux/ypldapd/etc/ypldapd.conf file, this will enable the ypldapd program to clean states proactively instead of waiting for completion of the time interval of the state_dump_interval parameter. Note: Setting the maxstates parameter might expose the application to the risk of premature termination of a map enumeration. By default the maxstates parameter is off. To use this feature, add this parameter along with the preferred value to /opt/ldapux/ypldapd/etc/ypldapd.conf. Example: maxstates 100 You may need to tune the parameter value to fit the running environment. 5. JAGae02984:"ypldapd cored" During initialization, ypldapd skips the preloading map. This leaves the pointer for iteration cache uninitialized. When it's time to flush cache, the preload routine will write to the uninitialized iteration cache. This will cause the ypldapd program to abort. SR: 8606220039 8606215820 8606222009 8606220338 8606233760 Patch Files: LdapUxClient.NATIVELDAP-RUN,fr=B.02.00, fa=HP-UX_B.11.00_32/64,v=HP: /usr/lib/security/libpam_ldap.1 NisLdapServer.YPLDAP-SERVER,fr=B.02.00, fa=HP-UX_B.11.00_32/64,v=HP: /opt/ldapux/ypldapd/sbin/ypldapd /opt/ldapux/ypldapd/lib/librfc2307bis.sl what(1) Output: LdapUxClient.NATIVELDAP-RUN,fr=B.02.00, fa=HP-UX_B.11.00_32/64,v=HP: /usr/lib/security/libpam_ldap.1: Version LDUXVer B.02.00.001, Wed Jan 16 10:05:28 PST 2002 NisLdapServer.YPLDAP-SERVER,fr=B.02.00, fa=HP-UX_B.11.00_32/64,v=HP: /opt/ldapux/ypldapd/sbin/ypldapd: PROGRAM:ypldapd LDUXVer B.02.00.001 PROJECT:ypldapd -67 DEVELOPER:grace BUILT:Wed Jan 16 18:06 :17 UTC 2002 NisLdapServer.YPLDAP-SERVER,fr=B.02.00, fa=HP-UX_B.11.00_32/64,v=HP: /opt/ldapux/ypldapd/lib/librfc2307bis.sl: LIBRARY:librfc2307bis LDUXVer B.02.00.001 PROJECT:y pldapd-67 DEVELOPER:grace BUILT:Wed Jan 16 18:06:05 UTC 2002 cksum(1) Output: LdapUxClient.NATIVELDAP-RUN,fr=B.02.00, fa=HP-UX_B.11.00_32/64,v=HP: 2330520459 178648 /usr/lib/security/libpam_ldap.1 NisLdapServer.YPLDAP-SERVER,fr=B.02.00, fa=HP-UX_B.11.00_32/64,v=HP: 1631591616 297568 /opt/ldapux/ypldapd/sbin/ypldapd 1033453533 102400 /opt/ldapux/ypldapd/lib/librfc2307bis.sl Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: None Equivalent Patches: None Patch Package Size: 600 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_25779 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHNE_25779.depot By default swinstall will archive the original software in /var/adm/sw/save/PHNE_25779. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHNE_25779.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHNE_25779.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_25779.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: 1.The NIS/LDAP Gateway daemon must be shut down prior to installing this patch. This can be accomplished by executing the following command as root: kill $(cat /var/run/ypldapd.pid) To start NIS/LDAP Gateway daemon after the patch is installed, execute the following command as root: /opt/ldapux/ypldapd/sbin/ypldapd There are multiple clients connect to the ypldapd. The daemon is not shut down automatically to avoid disrupting NIS clients. 2.There are two new parameters with this patch: dn2uid_cache_dump_interval and maxstates. These parameters are optional. To use these parameters, refer to defect descriptions under defects JAGad91124 and JAGad89478 to update the /opt/ldapux/ypldapd/etc/ypldapd.conf file.