https://bugs.openldap.org/show_bug.cgi?id=9468
Issue ID: 9468 Summary: slapd-ldap does anonymous bind even if rebind-as-user is set Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: backends Assignee: bugs@openldap.org Reporter: tero.saarni@est.tech Target Milestone: ---
When back-ldap retries bind operation after connection retry, it will do it as anonymous even if rebind-as-user is set to yes.
Expected behavior is that (re)bind is done with user's credentials from the initial bind operation.
I observed following (Warning: I might have understood details of the code incorrectly):
When rebind-as-user is set and bind operation from client is processed, proxy will copy the credentials to ldapconn_t representing the remote LDAP connection. When remote LDAP connection is closed (e.g. by the proxy itself due to timeout), the bind credentials information is lost when freeing the old ldapconn_t. At this point, client still holds the connection to proxy and is unaware of the remote connection being lost. Proxy then re-establishes the connection and "synthetically" generates new bind itself, but since it does not have the credentials stored in memory anymore, it sends anonymous bind on behalf of the client.
As a side effect, slapd currently crashes if remote server does not allow anonymous bind and responds with InvalidCredentials instead. The crash is due to assert(), which is handled in separate issue https://bugs.openldap.org/show_bug.cgi?id=9288
https://bugs.openldap.org/show_bug.cgi?id=9468
--- Comment #1 from tero.saarni@est.tech --- Mege request with proposed test case and code change https://git.openldap.org/openldap/openldap/-/merge_requests/273
Here is a notice of origin and rights statement for the patch in the merge request:
The attached patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Tero Saarni tero.saarni@est.tech. I have not assigned rights and/or interest in this work to any party.
Ericsson Software Technology AB hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.
https://bugs.openldap.org/show_bug.cgi?id=9468
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |needs_review
https://bugs.openldap.org/show_bug.cgi?id=9468
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Target Milestone|--- |2.5.4 Assignee|bugs@openldap.org |hyc@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9468
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.5.4 |2.6.0
https://bugs.openldap.org/show_bug.cgi?id=9468
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |TEST
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • 6b55a3ba by Tero Saarni at 2021-05-11T15:05:50+00:00 ITS#9468 Added test case for proxy re-binding anonymously
• 97217da5 by Tero Saarni at 2021-05-11T15:05:50+00:00 ITS#9468 back-ldap: Return disconect if rebind cannot be done
• b1226f56 by Tero Saarni at 2021-05-11T15:05:50+00:00 ITS#9468 removed accidental unicode characters
• de6c9390 by Tero Saarni at 2021-05-11T15:05:50+00:00 ITS#9468 documented that re-connecting does not happen after idle-timeout or conn-ttl
• 06ed7871 by Tero Saarni at 2021-05-11T15:05:50+00:00 ITS#9468 summarize discussion about rebind-as-user
• 255a3746 by Tero Saarni at 2021-05-11T15:05:50+00:00 ITS#9468 fixed typos
https://bugs.openldap.org/show_bug.cgi?id=9468
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|RESOLVED |CONFIRMED Resolution|TEST |---
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- Current commit causes issues
https://bugs.openldap.org/show_bug.cgi?id=9468
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS
https://bugs.openldap.org/show_bug.cgi?id=9468
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |TEST
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org ---
Commits: • 2f880087 by Howard Chu at 2021-06-08T15:41:40+00:00 ITS#9468 always init lc_time and lc_create_time
https://bugs.openldap.org/show_bug.cgi?id=9468
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=8008
https://bugs.openldap.org/show_bug.cgi?id=9468
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=9468
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED
https://bugs.openldap.org/show_bug.cgi?id=9468
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org --- head:
• b9173d30 by Quanah Gibson-Mount at 2022-06-30T20:24:50+00:00 ITS#9468 - Fix script logic
RE26:
• 8c970e33 by Quanah Gibson-Mount at 2022-06-30T20:38:13+00:00 ITS#9468 - Fix script logic
-
openldap-its@openldap.org