Re: ldap group bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


07.06.2013 20:19, Howard Chu пишет:
Dmitry Melekhov wrote:

This bug exists in 2.1.26 , and, I guess , in previous versions.

Problem is that after user is authentificated with ldap bind , ldap
connection for checking user in group ( lak_group_member function )
is made with this user's bind, not bind parameters from config file.
User can not ( and have not in our case- I don't know why , but this is
not real problem ) have access to ldap groups.
And so, authentication is always fail.

I added unbind and anonymous bind ( enough in our case):

You have a major flaw in your directory server's access control configuration, if it has granted anonymous binds more privileges than authenticated binds.

This is not flaw :-) This is just minor misconfiguration and nothing more- really there is no impact on any real application.
And, really. this is not my ldap server :-)
But , anyway, this has no relation with real bug.

No proper security system would ever do such a thing. Fix your access control configuration. This patch is wrong.

I never said my patch is right, it just demonstrates where problem is.
This is why I'm asking for right solution, i.e. access for groups info with login from saslauthd config. Let's assume there is no access for authentificated user to groups info, but there is access info in saslauthd config file which has.
So , I think, this have to be fixed.
Could you write right patch , which will do rebind not anonymously, but with right access from config? :-)
Thank you!

/var/local/files/sasl/cyrus-sasl-2.1.26/saslauthd# diff -ur lak.c.orig
--- lak.c.orig 2013-06-07 09:15:20.098788278 +0400
+++ lak.c 2013-06-07 09:22:31.504774185 +0400
@@ -1342,6 +1342,10 @@
if (rc != LAK_OK)
goto done;

+ lak_unbind (lak );
+ rc = lak_bind(lak, "");
rc = ldap_search_st(lak->ld, group_search_base,
lak->conf->group_scope, group_filter, (char **) group_attrs, 0,
&(lak->conf->timeout), &res);
switch (rc) {

but, it is obvoius that rebind should be done with credintials from
config, but this is over my head :-(

Could you, please, fix this bug correctly?

Thank you!

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux