[Date Prev][Date Next]
Re: (ITS#6607) forwarded bind failure messages cause success
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6607) forwarded bind failure messages cause success
- From: email@example.com
- Date: Wed, 28 Jul 2010 20:08:54 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> Full_Name: Matthew Backes
> Version: RE24
> Submission from: (NULL) (18.104.22.168)
> As noted in
> setting up a chain overlay on the frontend and then configuring ppolicy with
> ppolicy_forward_updates causes BIND operations with invalid credentials to
> return success, apparently from the result of the chain operation.
> This is independent of the value of chain-return-error.
> WHOAMI reports anonymous after these "successful" BINDs with invalid passwords,
> so there is no security compromise within the directory itself, however this has
> (as noted in the above email) catastrophic results for external apps trying to
> authenticate with BIND.
This was already fixed in HEAD by back-ldap/chain.c rev 1.77 (apparently fixed
for unrelated reasons).
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/