[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6607) forwarded bind failure messages cause success

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6607) forwarded bind failure messages cause success
From: hyc@symas.com
Date: Wed, 28 Jul 2010 20:08:54 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

mbackes@symas.com wrote:
> Full_Name: Matthew Backes
> Version: RE24
> OS:
> URL:
> Submission from: (NULL) (76.88.107.46)
>
>
> As noted in
>
>      http://www.openldap.org/lists/openldap-technical/201004/msg00247.html
>
> setting up a chain overlay on the frontend and then configuring ppolicy with
> ppolicy_forward_updates causes BIND operations with invalid credentials to
> return success, apparently from the result of the chain operation.
>
> This is independent of the value of chain-return-error.
>
> WHOAMI reports anonymous after these "successful" BINDs with invalid passwords,
> so there is no security compromise within the directory itself, however this has
> (as noted in the above email) catastrophic results for external apps trying to
> authenticate with BIND.
>
>
This was already fixed in HEAD by back-ldap/chain.c rev 1.77 (apparently fixed 
for unrelated reasons).

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6540) test022-ppolicy is flawed, masks serious stability issue
Next by Date: Re: (ITS#6532) Support for common orderingMatching rules in extensible match filters
Index(es):
- Chronological
- Thread