[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6607) forwarded bind failure messages cause success
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6607) forwarded bind failure messages cause success
- From: hyc@symas.com
- Date: Wed, 28 Jul 2010 20:08:54 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
mbackes@symas.com wrote:
> Full_Name: Matthew Backes
> Version: RE24
> OS:
> URL:
> Submission from: (NULL) (76.88.107.46)
>
>
> As noted in
>
> http://www.openldap.org/lists/openldap-technical/201004/msg00247.html
>
> setting up a chain overlay on the frontend and then configuring ppolicy with
> ppolicy_forward_updates causes BIND operations with invalid credentials to
> return success, apparently from the result of the chain operation.
>
> This is independent of the value of chain-return-error.
>
> WHOAMI reports anonymous after these "successful" BINDs with invalid passwords,
> so there is no security compromise within the directory itself, however this has
> (as noted in the above email) catastrophic results for external apps trying to
> authenticate with BIND.
>
>
This was already fixed in HEAD by back-ldap/chain.c rev 1.77 (apparently fixed
for unrelated reasons).
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/