rc = ldap_search_s (session->ld, ssd->base, ssd->scope, filter, NULL, 0, &res);
pam_ldap works correctly if that line is changed to either not request attribute data: rc = ldap_search_s (session->ld, ssd->base, ssd->scope, filter, NULL, 1, &res);
or to request only a few attributes:
const char *test_attrs[] = { , NULL };
rc = ldap_search_s (session->ld, ssd->base, ssd->scope,
filter, &test_attrs, 0, &res);
I had earlier noticed that the response sizes were suspiciously near
32KB. The failing ones have jpegPhoto attributes which are over 32KB;
the working ones were below that threshold. I had assumed that the
SIZELIMIT error check meant this was handled correctly by the lower
levels but that doesn't appear to be the case. In any case there's a
strong argument against retrieving an entire LDAP record at login
since modern directories may contain things like pictures, x509 keys,
etc. which are fairly large and of no interest to pam_ldap.
Here's the latest version of my version which uses the test_attrs approach above and removed a couple of test syslog() calls which I inadvertently left in the previous diff. This works in my test environment but I would definitely want to test it more before releasing it into the wild.
libpam-ldap-attribute-fix-and-syslog.diff.gz
Description: GNU Zip compressed data
Chris
smime.p7s
Description: S/MIME cryptographic signature
