[Date Prev][Date Next] [Chronological] [Thread] [Top]

internal sasl auxprop plugin used by default

First of all, i wrote this mail to OpenLDAP-software too
Sorry because the crosspost but my question wasnt answersed and
I think this is really a security related problem.

The problem is, that all sasl auxprop plugin
(and because it the slapd external sasl plugin too)
seems to be used by slapd if the auxprop_plugin sasl option is not set.
(seems as a sasl misbehavior)

Because it, if You have a valid sasl-regexp which maps a sasl id to
a valid dn, then if you use an auxprop based mech, you can authenticate
to that dn with the dn's userPassword attrib as password as it is.

e.g: ldapsearch -U sample -Y DIGEST-MD5 -ZZ userPassword

and you can use password hash's as password
much worse

I think it would be nice, that without auxprop_plugin option
only sasldb plugin or none of them to be used by slapd.



p.s: sorry because my broken english