Nope, it's used whenever you have user accounts spread across multiple OUs in a way that prevents easily computing the DN, thus requiring a search to locate the desired object before authentication.
Best regards, -- Carlos M. Fernández Sr. Enterprise Systems Admin Saint Joseph's University W: 610-660-1501 M: 215-316-1193 E: [email protected] > On Jan 22, 2015, at 16:49, Chris Cheltenham <[email protected]> > wrote: > > Isn't " BindLdapAuthenticationHandler " for connection pooling only? > > > > Thank You, > > Chris Cheltenham > SwainTechs / HHS > > Cell# 267-586-2369 > > -----Original Message----- > From: Paul B. Henson [mailto:[email protected]] > Sent: Thursday, January 22, 2015 4:41 PM > To: [email protected] > Subject: RE: [cas-user] CAS server release v3.5.3 > >> From: Andrew Morgan >> Sent: Thursday, January 22, 2015 12:42 PM >> >> You aren't effected when you use FastBindLdapAuthenticationHandler. > > Thanks for confirming my initial analysis. > >> It's hard to call this a vulnerability, which is probably why they >> didn't release it as such. More like, "here's CAS v3.5.3 which fixes >> a security related bug." > > Well, I woke up a bit late this morning and found an announcement in my inbox > saying: > > "You must notice that there is a security fix for the "LDAP login with > wilcards" attack (CVE-2015-1169). You must upgrade if you use LDAP > authentication." > > That already has the buzzwords "security fix" and "must upgrade". Then I > looked up the CVE, which includes the title "allows remote attackers to > bypass LDAP authentication via crafted wildcards". > > How can anybody not reasonably interpret the two of those as "Oh shit my CAS > servers are Swiss cheese and are going to allow unauthorized access to random > people" 8-/? > > And then it turns out after a panicked investigation that only some LDAP > configurations are vulnerable (not including mine), and even if vulnerable, > other than some theoretical issue with confusing a client, there's really not > much of a security problem going on. So rather than "MUST UPGRADE NOW!", It's > more like "IF you use BindLdapAuthenticationHandler, you should probably > upgrade soon to avoid potential as yet unknown issues". > > <sigh>. > > -- > Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating > Systems and Network Analyst | [email protected] California State Polytechnic > University | Pomona CA 91768 > > > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access > archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
