The directory server is not correctly handling an authzid parameter when doing a SASL/GSSAPI bind. I can kinit as one user and then use ldapsearch with the "-X" parameter to specify a completely different kerberos principal. The directory server will allow me to bind to the DN that maps to that other kerberos principal even though I don't have that principal's credentials.
I have attached a shell session and the resulting relevant lines from the directory server access log.
shell session, showing the kinit command followed by two ldapsearches
corresponding access log entries showing the bind dns
git patch file (master)
Reviewed by email@example.com (Thank you, Nathan!)
Pushed to master:
9698a97..76acff1 master -> master
Pushed to 389-ds-base-1.3.2:
ad4f230..9bc2b46 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
Pushed to 389-ds-base-1.3.1:
c0c8da7..d2063c8 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
Pushed to 389-ds-base-1.2.11:
e0092e3..614d721 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
Metadata Update from @nhosoi:
- Issue assigned to mreynolds
- Issue set to the milestone: 18.104.22.168
to comment on this ticket.