The directory server is not correctly handling an authzid parameter when doing a SASL/GSSAPI bind. I can kinit as one user and then use ldapsearch with the "-X" parameter to specify a completely different kerberos principal. The directory server will allow me to bind to the DN that maps to that other kerberos principal even though I don't have that principal's credentials.
I have attached a shell session and the resulting relevant lines from the directory server access log.
shell session, showing the kinit command followed by two ldapsearches
corresponding access log entries showing the bind dns
git patch file (master)
Reviewed by email@example.com (Thank you, Nathan!)
Pushed to master:
9698a97..76acff1 master -> master
Pushed to 389-ds-base-1.3.2:
ad4f230..9bc2b46 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
Pushed to 389-ds-base-1.3.1:
c0c8da7..d2063c8 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
Pushed to 389-ds-base-1.2.11:
e0092e3..614d721 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
Metadata Update from @nhosoi:
- Issue assigned to mreynolds
- Issue set to the milestone: 126.96.36.199
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)
to comment on this ticket.