OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/6607
Full headers

From: mbackes@symas.com
Subject: forwarded bind failure messages cause success
 Compose comment
Download message
State:
0 replies:
1 followups: 1

Major security issue: yes  no

Notes:

Notification: 


Date: Wed, 28 Jul 2010 00:22:03 +0000
From: mbackes@symas.com
To: openldap-its@OpenLDAP.org
Subject: forwarded bind failure messages cause success

Full_Name: Matthew Backes
Version: RE24
OS: 
URL: 
Submission from: (NULL) (76.88.107.46)


As noted in

    http://www.openldap.org/lists/openldap-technical/201004/msg00247.html

setting up a chain overlay on the frontend and then configuring ppolicy with
ppolicy_forward_updates causes BIND operations with invalid credentials to
return success, apparently from the result of the chain operation.

This is independent of the value of chain-return-error.

WHOAMI reports anonymous after these "successful" BINDs with invalid passwords,
so there is no security compromise within the directory itself, however this has
(as noted in the above email) catastrophic results for external apps trying to
authenticate with BIND.

Followup 1

Download message
Date: Wed, 28 Jul 2010 13:08:11 -0700
From: Howard Chu <hyc@symas.com>
To: mbackes@symas.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#6607) forwarded bind failure messages cause success

mbackes@symas.com wrote:
> Full_Name: Matthew Backes
> Version: RE24
> OS:
> URL:
> Submission from: (NULL) (76.88.107.46)
>
>
> As noted in
>
>      http://www.openldap.org/lists/openldap-technical/201004/msg00247.html
>
> setting up a chain overlay on the frontend and then configuring ppolicy
with
> ppolicy_forward_updates causes BIND operations with invalid credentials to
> return success, apparently from the result of the chain operation.
>
> This is independent of the value of chain-return-error.
>
> WHOAMI reports anonymous after these "successful" BINDs with invalid
passwords,
> so there is no security compromise within the directory itself, however
this has
> (as noted in the above email) catastrophic results for external apps trying
to
> authenticate with BIND.
>
>
This was already fixed in HEAD by back-ldap/chain.c rev 1.77 (apparently fixed 
for unrelated reasons).

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org