[Date Prev][Date Next]
Re: bind with meta backend (ITS#2968)
> Selon Pierangelo Masarati <email@example.com>:
>> > Full_Name: Raphael Ouazana
>> > Version: 2.2.5
>> > OS: Linux
>> > URL: ftp://ftp.openldap.org/incoming/
>> > Submission from: (NULL) (220.127.116.11)
>> > When I do a bind operation with a bad password, I get Success as
>> > code, instead of Invalid credentials.
>> > I think the error is in back-meta/bind.c : there is a call to
>> > ldap_sasl_bind instead of ldap_sasl_bind_s in function
>> > dgcp_back_do_single_bind.
>> > In OpenLDAP 2.1.26, the call was ldap_bind_s, not ldap_bind.
>> The solution is not that easy. I agree the code
>> is partially screwed up; a call to get the result
>> of the asynchronous ldap_sasl_bind was plainly
>> eaten up at some point. I'll fix it. Thanks.
> I'm sorry, but I don't understand why this solution doesn't fix the
> problem. A call to get the result of ldap_sasl_bind is exactly what does
> ldap_sasl_bind_s, isn't it ?
> I tested this fix and it seems to work well.
As I said, I agree that the code is screwed
and it needs to be fixed; I do not agree a
synchronous call is the best thing to do.
What's missing there is a gall to ldap_result
right after the ldap_sasl_bind; I guess it was
unintendedly cut at some point. Check the
totally equivalent code in back-ldap as an
> Moreother I think this can be an important security issue : if an
> application tries to authenticate through a meta directory, it always
> gets Success. So anybody can authenticate with any password on this
Again: it needs to be fixed. I'll do it ASAP.