Full_Name: Matthew Backes
Submission from: (NULL) (18.104.22.168)
As noted in
setting up a chain overlay on the frontend and then configuring ppolicy with
ppolicy_forward_updates causes BIND operations with invalid credentials to
return success, apparently from the result of the chain operation.
This is independent of the value of chain-return-error.
WHOAMI reports anonymous after these "successful" BINDs with invalid
so there is no security compromise within the directory itself, however this has
(as noted in the above email) catastrophic results for external apps trying to
authenticate with BIND.
This was already fixed in HEAD by back-ldap/chain.c rev 1.77 (apparently fixed
for unrelated reasons).
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/