[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6607) forwarded bind failure messages cause success

mbackes@symas.com wrote:
> Full_Name: Matthew Backes
> Version: RE24
> OS:
> URL:
> Submission from: (NULL) (
> As noted in
>      http://www.openldap.org/lists/openldap-technical/201004/msg00247.html
> setting up a chain overlay on the frontend and then configuring ppolicy with
> ppolicy_forward_updates causes BIND operations with invalid credentials to
> return success, apparently from the result of the chain operation.
> This is independent of the value of chain-return-error.
> WHOAMI reports anonymous after these "successful" BINDs with invalid passwords,
> so there is no security compromise within the directory itself, however this has
> (as noted in the above email) catastrophic results for external apps trying to
> authenticate with BIND.
This was already fixed in HEAD by back-ldap/chain.c rev 1.77 (apparently fixed 
for unrelated reasons).

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/