432 – Kerberos double binding creates no bindings

Issue 432 - Kerberos double binding creates no bindings

Summary: Kerberos double binding creates no bindings

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2000-01-27 18:17 UTC by Mark Adamson
Modified:	2014-08-01 21:06 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Mark Adamson 2000-01-27 18:17:21 UTC

Hello all.

  I am working on getting OpenLDAP 2.0 working for the CMU campus
here. I CVS downloaded the source in early December and have it
compiled and running on my desktop machine.

  I am working on getting Kerberos authentication working, and ran
into what I'd have to call a bug. It has to do with a client such as
ldapsearch uses ldap_kerberos_bind_s() and how the server binds your
DN using do_bind().

  When a client uses ldap_kerberos_bind_s() it first binds with an
authmethod LDAP_AUTH_KRBV41 (the "ldapserver" ticket), and then again
with LDAP_AUTH_KRBV42 (the "x500dsa" ticket). On the server, in the
function 

	servers/slapd/back-ldbm/bind.c
	ldbm_back_bind()

the first bind does all of the leg work of checking the krbName and
returns 0 to the calling function

	servers/slapd/bind.c
	do_bind()

The second bind on the server simply sends a SUCCESS message back to
the client and returns a non-zero code back to do_bind(), with the
comment "stop front end from sending result". 

  When do_bind() was called, it first cleared any previous bindings and
then if the backend bind returns 0 it will store the requested DN in
the connection.

  The bug is that the second (LDAP_AUTH_KRBV42) binding in
ldbm_back_bind() always returns a non-zero code to do_bind(), so the
DN binding from the first binding was erased and not stored the second 
time. The result is a connection that has NO binding: you are
unauthenticated. 


  I am curious as to why the second binding wants to send the SUCCESS
message itself and return !0, instead of returning 0 and letting
do_bind() return SUCCESS (and set the DN binding).


-Mark Adamson
 adamson@cmu.edu


PS  My first day of reading/posting to this group. Pardon any
inproprieties.

Comment 1 Kurt Zeilenga 2000-01-27 20:29:01 UTC

At 06:17 PM 1/27/00 GMT, adamson@andrew.cmu.edu wrote:
>  When a client uses ldap_kerberos_bind_s() it first binds with an
>authmethod LDAP_AUTH_KRBV41 (the "ldapserver" ticket), and then again
>with LDAP_AUTH_KRBV42 (the "x500dsa" ticket). On the server, in the
>function 

The current protocol specs require the server to forget any
existing LDAP authorization upon receipt of a bind request.

This runs counter to the implementation of ldap_kerberos_bind_s()
which submits to independent bind requests.  To provide backwards
compatibility, the server (do_bind) needs to be modified to handle
DSA bind such the server doesn't forget the prior authorization.

>  I am curious as to why the second binding wants to send the SUCCESS
>message itself and return !0, instead of returning 0 and letting
>do_bind() return SUCCESS (and set the DN binding).

Because this would allow anyone to bind as anything.  The success
of the second bind should restore the previous "forgotten"
authorization.

Comment 2 Kurt Zeilenga 2000-02-08 15:16:35 UTC

changed notes
changed state Open to Feedback

Comment 3 Kurt Zeilenga 2000-03-14 10:12:22 UTC

changed state Feedback to Closed

Comment 4 OpenLDAP project 2014-08-01 21:06:09 UTC

See ITS#443 for additional information.