#47739 directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind
Closed: Fixed None Opened 5 years ago by rv3.

The directory server is not correctly handling an authzid parameter when doing a SASL/GSSAPI bind. I can kinit as one user and then use ldapsearch with the "-X" parameter to specify a completely different kerberos principal. The directory server will allow me to bind to the DN that maps to that other kerberos principal even though I don't have that principal's credentials.

I have attached a shell session and the resulting relevant lines from the directory server access log.

shell session, showing the kinit command followed by two ldapsearches

corresponding access log entries showing the bind dns

Reviewed by nkinder@redhat.com (Thank you, Nathan!)

Pushed to master:
9698a97..76acff1 master -> master
commit 76acff1

Pushed to 389-ds-base-1.3.2:
ad4f230..9bc2b46 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit 9bc2b46

Pushed to 389-ds-base-1.3.1:
c0c8da7..d2063c8 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit d2063c8

Pushed to 389-ds-base-1.2.11:
e0092e3..614d721 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 614d721

Metadata Update from @nhosoi:
- Issue assigned to mreynolds
- Issue set to the milestone:

2 years ago

Login to comment on this ticket.