Re: ldap group bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Dmitry Melekhov wrote:

This bug exists in 2.1.26 , and, I guess , in previous versions.

Problem is that after user is authentificated with ldap bind , ldap
connection for checking user in group ( lak_group_member function )
is made with this user's bind, not bind parameters from config file.
User can not ( and have not in our case- I don't know why , but this is
not real problem ) have access to ldap groups.
And so, authentication is always fail.

I added unbind and anonymous bind ( enough in our case):

You have a major flaw in your directory server's access control configuration, if it has granted anonymous binds more privileges than authenticated binds.

No proper security system would ever do such a thing. Fix your access control configuration. This patch is wrong.

/var/local/files/sasl/cyrus-sasl-2.1.26/saslauthd# diff -ur lak.c.orig
--- lak.c.orig    2013-06-07 09:15:20.098788278 +0400
+++ lak.c    2013-06-07 09:22:31.504774185 +0400
@@ -1342,6 +1342,10 @@
           if (rc != LAK_OK)
               goto done;

+        lak_unbind (lak );
+        rc  = lak_bind(lak, "");
           rc = ldap_search_st(lak->ld, group_search_base,
lak->conf->group_scope, group_filter, (char **) group_attrs, 0,
&(lak->conf->timeout), &res);
           switch (rc) {
               case LDAP_SUCCESS:

but, it is obvoius that rebind should be done with credintials from
config, but this is over my head :-(

Could you, please, fix this bug correctly?

Thank you!

  -- Howard Chu
  CTO, Symas Corp. 
  Director, Highland Sun
  Chief Architect, OpenLDAP

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux