[email protected] wrote: > Full_Name: Matthew Backes > Version: RE24 > OS: > URL: > Submission from: (NULL) (76.88.107.46) > > > As noted in > > http://www.openldap.org/lists/openldap-technical/201004/msg00247.html > > setting up a chain overlay on the frontend and then configuring ppolicy with > ppolicy_forward_updates causes BIND operations with invalid credentials to > return success, apparently from the result of the chain operation. > > This is independent of the value of chain-return-error. > > WHOAMI reports anonymous after these "successful" BINDs with invalid > passwords, > so there is no security compromise within the directory itself, however this > has > (as noted in the above email) catastrophic results for external apps trying to > authenticate with BIND. > > This was already fixed in HEAD by back-ldap/chain.c rev 1.77 (apparently fixed for unrelated reasons).
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
