Bug ID 860349: Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication

Last Modified: Jan 19, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 15.0.0, 15.0.1, 15.0.1.1, 15.1.0

Opened: Dec 12, 2019
Severity: 2-Critical

Symptoms

After upgrading BIG-IP to 14.1 the LDAP/AD remote authentication will fail . The /var/log/secure will show : /secure: Dec 6 15:27:44 hostname err httpd[9402]: pam_ldap(httpd:auth): error opening connection to nslcd: No such file or directory Dec 6 15:27:44 hostname notice httpd[9402]: pam_ldap(httpd:auth): auth server unavailable, trying fallback Dec 6 15:27:44 hostname warning httpd[9402]: pam_unix(httpd:auth): check pass; user unknown Dec 6 15:27:44 hostname notice httpd[9402]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.227.145 /var/log/daemon.log will show ; /daemon: Dec 6 15:29:40 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE Dec 6 15:29:40 hostname notice systemd[1]: Unit nslcd.service entered failed state. Dec 6 15:29:40 hostname warning systemd[1]: nslcd.service failed. Dec 6 15:35:47 hostname notice systemd[1]: nslcd.service: main process exited, code=exited, status=1/FAILURE Dec 6 15:35:47 hostname notice systemd[1]: Unit nslcd.service entered failed state. Dec 6 15:35:47 hostname warning systemd[1]: nslcd.service failed. > Dec 06 15:35:47 hostname systemd[1]: Started Naming services LDAP client daemon.. > Dec 06 15:35:47 hostname systemd[1]: Starting Naming services LDAP client daemon.... > Dec 06 15:35:47 hostname nslcd[8050]: nslcd: /etc/nslcd.conf:15: usertemplate: too may arguments > ===================== > This is the hint that user-template is at fault

Impact

LDAP/nslcd process failed with "error opening connection to nslcd" when user-template includes white spaces.

Conditions

LDAP/nslcd config , remote authentication , user-template used The values within user-template include white spaces : example: uid=%s,CN=my home,OU=Generic Users,OU=good Users,OU=users,DC=users,DC=org

Workaround

Replace the white-space character with underscore "_" in the user-template if possible, or remove the user-template and restart nslcd daemon

Fix Information

None

Behavior Change