Re: (ITS#6607) forwarded bind failure messages cause success

Wednesday, 28 July 2010

mbackes(a)symas.com wrote:
...
 Full_Name: Matthew Backes
 Version: RE24
 OS:
 URL:
 Submission from: (NULL) (76.88.107.46)

 As noted in

      http://www.openldap.org/lists/openldap-technical/201004/msg00247.html

 setting up a chain overlay on the frontend and then configuring ppolicy with
 ppolicy_forward_updates causes BIND operations with invalid credentials to
 return success, apparently from the result of the chain operation.

 This is independent of the value of chain-return-error.

 WHOAMI reports anonymous after these "successful" BINDs with invalid
passwords,
 so there is no security compromise within the directory itself, however this has
 (as noted in the above email) catastrophic results for external apps trying to
 authenticate with BIND.

 This was already fixed in HEAD by back-ldap/chain.c rev 1.77 (apparently fixed 
for unrelated reasons).

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: (ITS#6607) forwarded bind failure messages cause success