LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris
User Name
Password
Solaris / OpenSolaris This forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.

Notices


Reply
  Search this Thread
Old 05-21-2017, 01:11 AM   #1
abhisheks77
Member
 
Registered: Apr 2014
Posts: 63

Rep: Reputation: Disabled
119214-33 broke LDAP authentication. Why ?


Hello,
I have Solaris-10 x86 running on VMWare. I installed Solaris recommended patch cluster and after that LDAP authentication broke. I was able to login only with root account. Upon further investigation, I found that 119214-33 was the patch, which broke this authentication.
I tried reading about this patch, but still not able to figure out, howcome this patch broke LDAP authentication. Can somebody help me with its finding ?
Quote:
-bash-3.2# cat /var/tmp/10_x86_Recommended/10_x86_Recommended.README | grep 119214-33
119214-33 NSS_NSPR_JSS 3.21_x86: NSPR 4.11 / NSS 3.21 / JSS 4.3.2
-bash-3.2#
Thanks
 
Old 05-21-2017, 05:37 AM   #2
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Tribblix, Ubuntu/WSL
Posts: 9,761

Rep: Reputation: 459Reputation: 459Reputation: 459Reputation: 459Reputation: 459
What was the previous patch #119214 version installed?
 
Old 05-21-2017, 11:08 AM   #3
abhisheks77
Member
 
Registered: Apr 2014
Posts: 63

Original Poster
Rep: Reputation: Disabled
I can see this now
Quote:
-bash-3.2# showrev -p | grep 119214
Patch: 119214-26 Obsoletes: Requires: Incompatibles: Packages: SUNWpr, SUNWtlsu, SUNWjss, SUNWtls
Patch: 119214-29 Obsoletes: Requires: Incompatibles: Packages: SUNWpr, SUNWtlsu, SUNWjss, SUNWtls
-bash-3.2# ls -l /var/sadm/patch/ | grep 119214
drwxr-xr-x 2 root root 6 Aug 20 2014 119214-29
-bash-3.2#
So it means, when I upgrade 119214-29 to 119214-33, it breaks LDAP authentication. I tried reading this link, but not able to figure out - https://getupdates.oracle.com/readme/119214-33

Last edited by abhisheks77; 05-21-2017 at 11:16 AM.
 
Old 05-21-2017, 03:02 PM   #4
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Tribblix, Ubuntu/WSL
Posts: 9,761

Rep: Reputation: 459Reputation: 459Reputation: 459Reputation: 459Reputation: 459
The patch you rolled back is fixing many vulnerabilities so your system is at risk.

The directory server should be up to date with NSS which it doesn't look to be. Ask the directory server vendor for support.
 
Old 05-21-2017, 03:32 PM   #5
abhisheks77
Member
 
Registered: Apr 2014
Posts: 63

Original Poster
Rep: Reputation: Disabled
119214-29 is already on server. As of now, till I find what was broken, I have to live with 119214-29.
I will check with vendor support
 
Old 05-21-2017, 04:18 PM   #6
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Tribblix, Ubuntu/WSL
Posts: 9,761

Rep: Reputation: 459Reputation: 459Reputation: 459Reputation: 459Reputation: 459
Yes, without 119214-33 your system suffer from several vulnerabilities.
 
Old 05-21-2017, 04:36 PM   #7
abhisheks77
Member
 
Registered: Apr 2014
Posts: 63

Original Poster
Rep: Reputation: Disabled
I am just trying to understand risk factor/level.
119214-29 was already there. I patched the server with other patched except 119214-33. Is my server as vulnerable as pre-patch or it became more vulnerable after applying patches, excluding 119214-33 ?

Let me give you some background on this. We were facing a issue of server panic occasionally, like once in a month. So we got suggestion to apply latest patch cluster. We applied it and LDAP authentication broke. Then we restored server and again applied patch excluding 119214-33. This is development environment and we need to apply same on production environment next week. That is the reason, I want to know, if patching server (without 119214-33) will make it more vulnerable than before-patch environment ?

Last edited by abhisheks77; 05-21-2017 at 04:45 PM.
 
Old 05-21-2017, 05:31 PM   #8
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.4, Oracle Linux, Mint, Tribblix, Ubuntu/WSL
Posts: 9,761

Rep: Reputation: 459Reputation: 459Reputation: 459Reputation: 459Reputation: 459
You system was vulnerable and still is as far as NSS is concerned. You are missing almost three years of security fixes.

Unexplained panics should reported and analyzed by the support.
 
Old 05-21-2017, 05:38 PM   #9
abhisheks77
Member
 
Registered: Apr 2014
Posts: 63

Original Poster
Rep: Reputation: Disabled
Thanks. I will take it up with support
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[LDAP] -Setup Ldap for user authentication based on time trung1490 Linux - Server 1 02-23-2016 12:53 PM
[SOLVED] LDAP authentication error [Can't contact LDAP server] from apache httpd jonathan_w_brown Linux - Server 6 12-28-2011 05:30 PM
What are my options to enable LDAP authentication for certain LDAP users? ghost_dancer999 Linux - Security 1 10-18-2011 01:41 AM
Authentication Failure in LDAP after the Modification of ldap to ldaps url vijith.pa@gmail.com Linux - Newbie 3 06-03-2011 05:30 AM
[SOLVED] Apache authentication: allow LDAP group OR user named guest, but not all LDAP users AlucardZero Linux - Server 1 05-25-2011 03:21 PM

LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris

All times are GMT -5. The time now is 05:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration