The directory server is not correctly handling an authzid parameter when doing a SASL/GSSAPI bind. I can kinit as one user and then use ldapsearch with the "-X" parameter to specify a completely different kerberos principal. The directory server will allow me to bind to the DN that maps to that other kerberos principal even though I don't have that principal's credentials.
I have attached a shell session and the resulting relevant lines from the directory server access log.
shell session, showing the kinit command followed by two ldapsearches f1
corresponding access log entries showing the bind dns f2
git patch file (master) 0001-Ticket-47739-directory-server-is-insecurely-misinter.patch
Reviewed by nkinder@redhat.com (Thank you, Nathan!)
Pushed to master: 9698a97..76acff1 master -> master commit 76acff1
Pushed to 389-ds-base-1.3.2: ad4f230..9bc2b46 389-ds-base-1.3.2 -> 389-ds-base-1.3.2 commit 9bc2b46
Pushed to 389-ds-base-1.3.1: c0c8da7..d2063c8 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 commit d2063c8
Pushed to 389-ds-base-1.2.11: e0092e3..614d721 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit 614d721
Metadata Update from @nhosoi: - Issue assigned to mreynolds - Issue set to the milestone: 1.2.11.26
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1071
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Log in to comment on this ticket.