When nsslapd-allow-anonymous-access is set to "rootdse", I would expect DS to return only rootDSE entry to anonymous user. But it returns any LDAP entry as with enabled anonymous access if the search is done with scope set to BASE. ACIs still apply, so anonymous users would only be able to see data that is explicitly granted anonymous access by an ACI.
Steps to Reproduce: 1. Set nsslapd-allow-anonymous-access in cn=config to "rootdse" 2. Try to get an entry with scope=BASE as anonymous user
Actual results: Entry is returned
Expected results: Access is rejected.
This issue has been assigned CVE-2013-1897.
Bug description: The actual search base was not being checked at all. There was a check for the search base when this feature was initially implemented, but it was inadvertently removed when changes were made to reduce the DN normalization throughout the source tree (commit f639711).
Fix description: This patch adds the search base check back.
git patch file (master) 0001-Ticket-47308-unintended-information-exposure-when-an.patch
Reviewed by Rich, Noriko and Mark.
Pushed to master: commit 4b2d700 Pushed to 389-ds-base-1.3.0: commit b1feced Pushed to 389-ds-base-1.2.11: commit 5a18c82
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.2.11.20
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/645
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Log in to comment on this ticket.