When nsslapd-allow-anonymous-access is set to "rootdse", I would expect DS to
return only rootDSE entry to anonymous user. But it returns any LDAP entry as
with enabled anonymous access if the search is done with scope set to BASE. ACIs still apply, so anonymous users would only be able to see data that is explicitly granted anonymous access by an ACI.
Steps to Reproduce:
1. Set nsslapd-allow-anonymous-access in cn=config to "rootdse"
2. Try to get an entry with scope=BASE as anonymous user
Entry is returned
Access is rejected.
This issue has been assigned CVE-2013-1897.
Bug description: The actual search base was not being checked
at all. There was a check for the search base when this feature
was initially implemented, but it was inadvertently removed when
changes were made to reduce the DN normalization throughout the
source tree (commit f639711).
Fix description: This patch adds the search base check back.
git patch file (master)
Reviewed by Rich, Noriko and Mark.
Pushed to master: commit 4b2d700
Pushed to 389-ds-base-1.3.0: commit b1feced
Pushed to 389-ds-base-1.2.11: commit 5a18c82
Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 22.214.171.124
to comment on this ticket.