Full_Name: Ondrej Kuznik Version: re24/master OS: any URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (82.10.24.68) Playing around with proxyauthz control, it looks like being a rootdn of a database (any DB) the identity can then assume any other without restriction. This is a problem when the admin delegates rootdn privileges but wants to retain control over cn=config. Not a common use case, luckily. Not sure yet whether the conditions to get that happen are even more relaxed than that. This is even when olcAuthzPolicy == none. There seem to be two different ways to reproduce: - bind as a rootdn for a db, then e.g. ldapsearch -e '!authzid=dn:cn=config' -b cn=config - SASL bind as a rootdn but provide -X dn:cn=config Might be we're not doing the authz check from the point of view of the target DB? Don't know what would need to be done with glued DBs though.
changed notes moved from Incoming to Software Bugs
changed state Open to Test
changed notes changed state Test to Release
changed notes
published 9038 marked public
Fixed in master Fixed in RE24 (2.4.48) CVE-2019-13057
changed notes changed state Release to Closed