When nsslapd-allow-anonymous-access is set to "rootdse", I would expect DS to
return only rootDSE entry to anonymous user. But it returns any LDAP entry as
with enabled anonymous access if the search is done with scope set to BASE. ACIs still apply, so anonymous users would only be able to see data that is explicitly granted anonymous access by an ACI.
Steps to Reproduce:
1. Set nsslapd-allow-anonymous-access in cn=config to "rootdse"
2. Try to get an entry with scope=BASE as anonymous user
Entry is returned
Access is rejected.
This issue has been assigned CVE-2013-1897.
Bug description: The actual search base was not being checked
at all. There was a check for the search base when this feature
was initially implemented, but it was inadvertently removed when
changes were made to reduce the DN normalization throughout the
source tree (commit f639711).
Fix description: This patch adds the search base check back.
git patch file (master)
Reviewed by Rich, Noriko and Mark.
Pushed to master: commit 4b2d700
Pushed to 389-ds-base-1.3.0: commit b1feced
Pushed to 389-ds-base-1.2.11: commit 5a18c82
Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 18.104.22.168
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)
to comment on this ticket.