Re: bind with meta backend (ITS#2968)

[ando@sys-net.it]

> Selon Pierangelo Masarati <ando@sys-net.it>:
>
>>
>> > Full_Name: Raphael Ouazana
>> > Version: 2.2.5
>> > OS: Linux
>> > URL: ftp://ftp.openldap.org/incoming/
>> > Submission from: (NULL) (194.98.7.155)
>> >
>> >
>> > When I do a bind operation with a bad password, I get Success as
>> result
>> > code, instead of Invalid credentials.
>> > I think the error is in back-meta/bind.c : there is a call to
>> > ldap_sasl_bind instead of ldap_sasl_bind_s in function
>> > dgcp_back_do_single_bind.
>> > In OpenLDAP 2.1.26, the call was ldap_bind_s, not ldap_bind.
>>
>> The solution is not that easy.  I agree the code
>> is partially screwed up; a call to get the result
>> of the asynchronous ldap_sasl_bind was plainly
>> eaten up at some point.  I'll fix it.  Thanks.
>
> I'm sorry, but I don't understand why this solution doesn't fix the
> problem. A call to get the result of ldap_sasl_bind is exactly what does
> ldap_sasl_bind_s, isn't it ?
> I tested this fix and it seems to work well.

As I said, I agree that the code is screwed
and it needs to be fixed; I do not agree a
synchronous call is the best thing to do.

What's missing there is a gall to ldap_result
right after the ldap_sasl_bind; I guess it was
unintendedly cut at some point.  Check the
totally equivalent code in back-ldap as an
example.

>
> Moreother I think this can be an important security issue : if an
> application tries to authenticate through a meta directory, it always
> gets Success. So anybody can authenticate with any password on this
> application.

Again: it needs to be fixed.  I'll do it ASAP.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it