[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Empty password string (ITS#423)
Full_Name: Lim Swee Tat
Version: 1.2.8
OS: Solaris
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (203.116.61.132)
Hi,
I noticed the following error.
I did a batch job to update the LDAP server with some RDBMS data once in a
while.
The result was that once, some of the entries probably cocked up. The
userpassword
field now contains "{CRYPT}". There is no other strings attached. The usual
userpassword field contains "{CRYPT}afl;kj!@fslkjf". (Dun try to decrypt
this, it's
just random keys.... 8) ).
What happened was that a user was able to log in to the system with no
credentials
watsoever.
In case you were wondering, my acl is as follows:
********************************************************
defaultaccess none
## objectClass
access to attr=objectclass
by self read
by * search
# entry
access to attr=entry
by self read
by dn=".*,ou=PEOPLE,o=NCS,c=SG" read
by * read
## uid
access to attr=uid
by self read
by dn=".*,ou=PEOPLE,o=NCS,c=SG" read
by * search
## mail
access to attr=mail
by self write
by dn=".*,ou=PEOPLE,o=NCS,c=SG" read
by * search
## userpassword
access to attr=userpassword
by dn="uid=DIRADMIN,ou=PEOPLE,o=NCS,c=SG" write
by self write
by * none
*********************************************
I've tried to change the value of "by * read" to "by * search" for the attr
entry,
but some of the systems relying on the ldap for authentication just fail. This
ACL works... That is, a valid user with a valid password is able to authenticate
to
the system without a problem. Invalid passwords get rejected. Yet, for this
rather unusual case, the invalid passwords do not even get rejected.
Hope there's a solution.
Ciao
ST Lim