#47739 directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind
Closed: wontfix None Opened 6 years ago by rv3.

The directory server is not correctly handling an authzid parameter when doing a SASL/GSSAPI bind. I can kinit as one user and then use ldapsearch with the "-X" parameter to specify a completely different kerberos principal. The directory server will allow me to bind to the DN that maps to that other kerberos principal even though I don't have that principal's credentials.

I have attached a shell session and the resulting relevant lines from the directory server access log.

shell session, showing the kinit command followed by two ldapsearches

corresponding access log entries showing the bind dns

Reviewed by nkinder@redhat.com (Thank you, Nathan!)

Pushed to master:
9698a97..76acff1 master -> master
commit 76acff1

Pushed to 389-ds-base-1.3.2:
ad4f230..9bc2b46 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit 9bc2b46

Pushed to 389-ds-base-1.3.1:
c0c8da7..d2063c8 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit d2063c8

Pushed to 389-ds-base-1.2.11:
e0092e3..614d721 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 614d721

Metadata Update from @nhosoi:
- Issue assigned to mreynolds
- Issue set to the milestone:

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1071

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

6 days ago

Login to comment on this ticket.