07.06.2013 20:19, Howard Chu пишет:
Dmitry Melekhov wrote:
Hello!
This bug exists in 2.1.26 , and, I guess , in previous versions.
Problem is that after user is authentificated with ldap bind , ldap
connection for checking user in group ( lak_group_member function )
is made with this user's bind, not bind parameters from config file.
User can not ( and have not in our case- I don't know why , but this is
not real problem ) have access to ldap groups.
And so, authentication is always fail.
I added unbind and anonymous bind ( enough in our case):
You have a major flaw in your directory server's access control
configuration, if it has granted anonymous binds more privileges than
authenticated binds.
This is not flaw :-) This is just minor misconfiguration and nothing
more- really there is no impact on any real application.
And, really. this is not my ldap server :-)
But , anyway, this has no relation with real bug.
No proper security system would ever do such a thing. Fix your access
control configuration. This patch is wrong.
I never said my patch is right, it just demonstrates where problem is.
This is why I'm asking for right solution, i.e. access for groups info
with login from saslauthd config.
Let's assume there is no access for authentificated user to groups info,
but there is access info in saslauthd config file which has.
So , I think, this have to be fixed.
Could you write right patch , which will do rebind not anonymously, but
with right access from config? :-)
Thank you!
/var/local/files/sasl/cyrus-sasl-2.1.26/saslauthd# diff -ur lak.c.orig
lak.c
--- lak.c.orig 2013-06-07 09:15:20.098788278 +0400
+++ lak.c 2013-06-07 09:22:31.504774185 +0400
@@ -1342,6 +1342,10 @@
if (rc != LAK_OK)
goto done;
+ lak_unbind (lak );
+ rc = lak_bind(lak, "");
+
+
rc = ldap_search_st(lak->ld, group_search_base,
lak->conf->group_scope, group_filter, (char **) group_attrs, 0,
&(lak->conf->timeout), &res);
switch (rc) {
case LDAP_SUCCESS:
but, it is obvoius that rebind should be done with credintials from
config, but this is over my head :-(
Could you, please, fix this bug correctly?
Thank you!
