ldap group bug

Howard Chu hyc at highlandsun.com
Fri Jun 7 12:19:05 EDT 2013


Dmitry Melekhov wrote:
> Hello!
>
> This bug exists in 2.1.26 , and, I guess , in previous versions.
>
> Problem is that after user is authentificated with ldap bind , ldap
> connection for checking user in group ( lak_group_member function )
> is made with this user's bind, not bind parameters from config file.
> User can not ( and have not in our case- I don't know why , but this is
> not real problem ) have access to ldap groups.
> And so, authentication is always fail.
>
> I added unbind and anonymous bind ( enough in our case):

You have a major flaw in your directory server's access control configuration, 
if it has granted anonymous binds more privileges than authenticated binds.

No proper security system would ever do such a thing. Fix your access control 
configuration. This patch is wrong.

> /var/local/files/sasl/cyrus-sasl-2.1.26/saslauthd# diff -ur lak.c.orig
> lak.c
> --- lak.c.orig    2013-06-07 09:15:20.098788278 +0400
> +++ lak.c    2013-06-07 09:22:31.504774185 +0400
> @@ -1342,6 +1342,10 @@
>            if (rc != LAK_OK)
>                goto done;
>
> +        lak_unbind (lak );
> +        rc  = lak_bind(lak, "");
> +
> +
>            rc = ldap_search_st(lak->ld, group_search_base,
> lak->conf->group_scope, group_filter, (char **) group_attrs, 0,
> &(lak->conf->timeout), &res);
>            switch (rc) {
>                case LDAP_SUCCESS:
>
>
> but, it is obvoius that rebind should be done with credintials from
> config, but this is over my head :-(
>
> Could you, please, fix this bug correctly?
>
> Thank you!
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list