LDAP broke after patching

ron323232 · May 19, 2017, 9:56pm

Greetings...My first post here...
I am facing issue on a x86 Solaris server, running on VMWare. We have to install latest patch cluster. I took a snapshot (on VMWare side), so we have backup copy. Downloaded and installed latest patch cluster. Post patching, I am not able to login on server with any non-root user (LDAP user). Since, this server is not in support, I an not expect Oracle's help on this. I am not sure, which patch broke authentication mechanism.
In second attempt, I restored snapshot and this time I commented "possible culprit" patches in patch_order as below

cat 10_x86_Recommended.README | egrep -i "tls|pam|ssl|java|ldap"
120100-08
148072-19
151913-09
121212-02
122471-03
138767-01
141105-04
144910-03
147674-11
148050-04
148694-01
150120-04
150546-02
151915-07
152078-51
152079-51
152098-41
152099-41
152101-31

I applied patch cluster and it again came in same state.

From /var/adm/messages :-
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 293258 daemon.warning] libsldap: Status: 91  Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 293258 daemon.warning] libsldap: Status: 91  Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to npsec-est-wks1.acme.com
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to npsec-wst-wks1.acme.com

-bash-3.2# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=ngtdr-zonemgr2,ou=Hosts,dc=pre,dc=acme,dc=com
NS_LDAP_BINDPASSWD= {NS1}a1a2a3a4a5a6a7a8a9a10a11a11
NS_LDAP_SEARCH_BASEDN= dc=pre,dc=acme,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= npsec-wst-wks1.acme.com, npsec-est-wks1.acme.com
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= ngtdr-zonemgr2
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,?one?
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,?one?
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,?one?
NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=sudoers,?one?
NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=People,?one?
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,?one?isMemberOf=cn=ngtdr-zonemgr2,ou=hosts,dc=pre,dc=acme,dc=com
NS_LDAP_BIND_TIME= 10
-bash-3.2# ldaplist
ldaplist: Object not found (Session error no available conn.
)
-bash-3.2#

I am not able to figure out, which patch is creating this problem so I can exclude that. Can somebody help me with this troubleshooting

Thanks in advance

Scrutinizer · May 20, 2017, 5:30am

Not a direct answer to your question,

Perhaps after the client upgrade, a ssl/tls protocol version that was previously being used to communicate with the server, became obsolete, so it is forced to use a newer protocol.

Perhaps the server does not speak the newer protocol, or
The server certificate is not installed for the newer protocol.
The client needs to update to a newer root certificate..

Just a few loose thought..

hicksd8 · May 20, 2017, 12:08pm

Which Solaris version is it?

This documentation from Oracle for Solaris 5.10 says (further down the page) that the X86 patch number is 150378.

https://getupdates.oracle.com/readme/README.150377-05

Patch README: 150378-04

ron323232 · May 20, 2017, 1:01pm

It is Solaris 10 x86 version. To avoid installing those packages, I commented below patches.

cat 10_x86_Recommended.README | egrep -i "tls|pam|ssl|java|ldap"

But it seems they are not culprit. It is some other patch(es), which is making these changes. Tried checking ssh too. 148105-23 is part of patch cluster, but was never installed. It was already there on server since long time, so it was skipped.

-bash-3.2# cat /var/tmp/10_x86_Recommended/10_x86_Recommended.README | grep ssh
148105-23  Obsoleted by: 148105-24 SunOS 5.10_x86: last, ssh/sshd patch
-bash-3.2# ls -l /var/sadm/patch/ | grep 148105
drwxr-xr-x   2 root     root           6 Aug 20  2014 148105-11
-bash-3.2#

150378 is not part of patch cluster.
I am trying to find from README, which more patches can be culprit. I am also assuming that it is not direct patch, but may be some patch is modifying any library (such as pam), which is breaking it.
-----------------------------------------------------------------------------
Its solved. It was 119214-33 patch, which created this issue. If somebody can guide me, what could have the issue, it would be good learning.

-bash-3.2# cat /var/tmp/10_x86_Recommended/10_x86_Recommended.README | grep 119214-33
119214-33  NSS_NSPR_JSS 3.21_x86: NSPR 4.11 / NSS 3.21 / JSS 4.3.2
-bash-3.2#