[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap_bind_st() call

To: openldap-devel@openldap.org
Subject: ldap_bind_st() call
From: Thomas Egerer <thomas.egerer@secunet.com>
Date: Fri, 24 Jun 2011 10:29:47 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20110307 Icedove/3.0.11

Hello *,

I am currently dealing with a problem in a third-party application
using openldap to retrieve CRLs. We are evaluating this piece of
software for possible vulnerabilities. One of the risk arises from
a possible DoS-attack involving the aforementioned CRL-retrieval.
Our scenario involves an attacker being able to hijack the LDAP-
server delivering the CRLs and replacing the actual LDAP-application
by a hand-crafted one which accepts connection attempts on port 389
and then does nothing. As a result the application being evaluated
is rendered unusable stalling forever while trying to download the
CRL.
The reason for this behavior is the function call
ldap_simple_bind_s() being used to connect to the server. While we
are able to control the actual tcp connect and the retrieval of the
CRL using LDAP_OPT_NETWORK_TIMEOUT and LDAP_OPT_TIMEOUT, there
seems no option to use something like a ldap_bind_st()- function.

A mailinglist-entry back from 2002 suggested the implementation
of a custom ldap_bind_st()-function, which I did using ldap_bind()
and ldap_result(). Yet, me efforts were in vain as I could not
retrieve the ld_error-member from LDAP-structure since it's an
opaque struct. I finally ended up with a custom function which
essentially does what I want, but I cannot figure out if it's due
to a bind-timeout or some other reason since ldap_result()
returns -1 on failure and 0 otherwise, not the actual error code.
Bottom line is, I'm back where I started: wondering why there is
no such a function in openldap *and* if is there any chance
getting the one that I wrote -- it's added below -- upstream. I
know that ldap_bind_s is deprecated in favour of ldap_sasl_bind_s
which I could also extend by a ldap_sasl_bind_st function, but I
do not want to put any more effort in something being deemed to
fail from the start.
To sum it up: any chance to get this upstream?

Cheers

Thomas

diff --git a/include/ldap.h b/include/ldap.h
index 3f0c1c4..dc3a48c 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -1270,6 +1270,15 @@ ldap_bind_s LDAP_P((     /* deprecated, use ldap_sasl_bind_s */
        LDAP_CONST char *cred,
        int authmethod ));

+LDAP_F( int )
+ldap_bind_st LDAP_P((
+       LDAP *ld,
+       LDAP_CONST char *who,
+       LDAP_CONST char *cred,
+       int authmethod,
+       struct timeval *timeout,
+       LDAPMessage **result ));
+
 /*
  * in sbind.c:
  */
diff --git a/libraries/libldap/bind.c b/libraries/libldap/bind.c
index 875bd69..303ead1 100644
--- a/libraries/libldap/bind.c
+++ b/libraries/libldap/bind.c
@@ -125,3 +125,32 @@ ldap_bind_s(
                return( ld->ld_errno = LDAP_AUTH_UNKNOWN );
        }
 }
+
+int ldap_bind_st(
+       LDAP *ld,
+       LDAP_CONST char *dn,
+       LDAP_CONST char *passwd,
+       int authmethod,
+       struct timeval *timeout,
+       LDAPMessage **res )
+{
+       int msgid;
+
+       *res = NULL;
+
+       Debug( LDAP_DEBUG_TRACE, "ldap_bind_st\n", 0, 0, 0 );
+
+       if ( (msgid = ldap_bind( ld, dn, passwd, authmethod )) == -1 )
+               return( ld->ld_errno );
+
+       if ( ldap_result( ld, msgid, LDAP_MSG_ALL, timeout, res ) == -1 || !*res )
+               return( ld->ld_errno );
+
+       if ( ld->ld_errno == LDAP_TIMEOUT ) {
+               (void) ldap_abandon( ld, msgid );
+               ld->ld_errno = LDAP_TIMEOUT;
+               return( ld->ld_errno );
+       }
+
+       return( ldap_result2error( ld, *res, 0 ) );
+}

Follow-Ups:
- Re: ldap_bind_st() call
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: RE24 testing call #2 (2.4.26)
Next by Date: Re: RE24 testing call #2 (2.4.26)
Index(es):
- Chronological
- Thread