#495 ldap referrals are only ever followed anonymously

Created 7 years ago by nalin
Modified 11 months ago

I see that sssd supports enabling referral support in libldap, but sssd doesn't seem to be registering a rebind callback (with ldap_set_rebind_proc) for libldap to use when it needs to bind to a new server.

If sssd doesn't do that, then referrals to other servers will be done anonymously, which I don't think is going to provide the desired results if sssd has been configured to authenticate to its primary server.

My personal preference would be for sssd to not depend on libldap's ability to chase referrals, but to queue up referral responses itself for following after processing results of the currently-executing search, and handling server binds directly as a part of that. That said, providing a callback may simply be more expedient.

A note of warning: beware of reintroducing CVE-2005-2069 when you're following referrals.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.4.0

Fields changed

owner: somebody => jhrozek

Raising priority to critical.

This issue is hitting Active Directory users particularly hard, since forests are almost always configured to require authentication for referrals.

priority: major => critical

Fields changed

owner: jhrozek => sbose

Fields changed

priority: critical => blocker

fixed by bfb9e9c

resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0

11 months ago

Metadata Update from @nalin:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.5.0

Login to comment on this ticket.