Full_Name: Matthew Backes Version: RE24 OS: URL: Submission from: (NULL) (76.88.107.46) As noted in http://www.openldap.org/lists/openldap-technical/201004/msg00247.html setting up a chain overlay on the frontend and then configuring ppolicy with ppolicy_forward_updates causes BIND operations with invalid credentials to return success, apparently from the result of the chain operation. This is independent of the value of chain-return-error. WHOAMI reports anonymous after these "successful" BINDs with invalid passwords, so there is no security compromise within the directory itself, however this has (as noted in the above email) catastrophic results for external apps trying to authenticate with BIND.
changed notes changed state Open to Test moved from Incoming to Software Bugs
mbackes@symas.com wrote: > Full_Name: Matthew Backes > Version: RE24 > OS: > URL: > Submission from: (NULL) (76.88.107.46) > > > As noted in > > http://www.openldap.org/lists/openldap-technical/201004/msg00247.html > > setting up a chain overlay on the frontend and then configuring ppolicy with > ppolicy_forward_updates causes BIND operations with invalid credentials to > return success, apparently from the result of the chain operation. > > This is independent of the value of chain-return-error. > > WHOAMI reports anonymous after these "successful" BINDs with invalid passwords, > so there is no security compromise within the directory itself, however this has > (as noted in the above email) catastrophic results for external apps trying to > authenticate with BIND. > > This was already fixed in HEAD by back-ldap/chain.c rev 1.77 (apparently fixed for unrelated reasons). -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes
changed notes changed state Test to Release
changed notes changed state Release to Closed
already fixed in HEAD (related to ITS#6475) fixed in RE24