[Date Prev][Date Next]
internal sasl auxprop plugin used by default
First of all, i wrote this mail to OpenLDAP-software too
Sorry because the crosspost but my question wasnt answersed and
I think this is really a security related problem.
The problem is, that all sasl auxprop plugin
(and because it the slapd external sasl plugin too)
seems to be used by slapd if the auxprop_plugin sasl option is not set.
(seems as a sasl misbehavior)
Because it, if You have a valid sasl-regexp which maps a sasl id to
a valid dn, then if you use an auxprop based mech, you can authenticate
to that dn with the dn's userPassword attrib as password as it is.
e.g: ldapsearch -U sample -Y DIGEST-MD5 -ZZ userPassword
and you can use password hash's as password
I think it would be nice, that without auxprop_plugin option
only sasldb plugin or none of them to be used by slapd.
p.s: sorry because my broken english