Bug 1227761 - Postmap LDAP authentication failure fallback to anonymous
Summary: Postmap LDAP authentication failure fallback to anonymous
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: postfix
Version: 6.8
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Jaroslav Škarvada
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-03 12:48 UTC by Sebastien Wains
Modified: 2017-10-27 15:06 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-10-27 15:06:50 UTC


Attachments (Terms of Use)
upstream patch (814 bytes, patch)
2016-09-13 14:22 UTC, Ondřej Lysoněk
no flags Details | Diff

Description Sebastien Wains 2015-06-03 12:48:47 UTC
Description of problem:

When trying to query LDAP with an incorrect password (on purpose), it fallbacks to anonymous instead of returning a failed authentication.

Configuration:

server_host = 172.24.1.230
search_base = ou=COMPANY,ou=populations,o=Developpement
query_filter = (&(mail=%s))
result_attribute = mailstop
result_format = %U@%s.%D
bind = yes
bind_dn = cn=MXsrvCheck,ou=TechObjects,o=SYSTEM
bind_pw = wrong
version = 3


# postmap -v -q john.doe@example.org ldap://etc/postfix/ldap-authfail.cf

postmap: dict_open: ldap://etc/postfix/ldap-authfail.cf
postmap: dict_ldap_lookup: In dict_ldap_lookup
postmap: dict_ldap_lookup: No existing connection for LDAP source //etc/postfix/ldap-authfail.cf, reopening
postmap: dict_ldap_connect: Connecting to server ldap://172.24.1.230:389
postmap: dict_ldap_connect: Actual Protocol version used is 3.
postmap: dict_ldap_connect: Binding to server ldap://172.24.1.230:389 as dn cn=MXsrvCheck,ou=TechObjects,o=SYSTEM
postmap: dict_ldap_connect: Successful bind to server ldap://172.24.1.230:389 as cn=MXsrvCheck,ou=TechObjects,o=SYSTEM 
postmap: dict_ldap_connect: Cached connection handle for LDAP source //etc/postfix/ldap-authfail.cf
postmap: dict_ldap_lookup: //etc/postfix/ldap-authfail.cf: Searching with filter (&(mail=john.doe@example.org))
postmap: dict_ldap_get_values[1]: Search found 0 match(es)
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned nothing
postmap: dict_ldap_close: Closed connection handle for LDAP source //etc/postfix/ldap-authfail.cf



When upgrading to Postfix 2.10 (with postfix.org RPM), the behavior is different and what is actually expected.

postmap: dict_open: ldap://etc/postfix/ldap-authfail.cf
postmap: dict_ldap_lookup: In dict_ldap_lookup
postmap: dict_ldap_lookup: No existing connection for LDAP source //etc/postfix/ldap-authfail.cf, reopening
postmap: dict_ldap_connect: Connecting to server ldap://172.24.1.230:389
postmap: dict_ldap_connect: Actual Protocol version used is 3.
postmap: dict_ldap_connect: Binding to server ldap://172.24.1.230:389 with dn cn=MXsrvCheck,ou=TechObjects,o=SYSTEM
postmap: warning: dict_ldap_connect: Unable to bind to server ldap://172.24.1.230:389 with dn cn=MXsrvCheck,ou=TechObjects,o=SYSTEM: 49 (Invalid credentials)
postmap: fatal: table ldap://etc/postfix/ldap-authfail.cf: query error: Success



Version-Release number of selected component (if applicable):

2.6.6 not working
2.10.2 tested and working


How reproducible:

Always



Steps to Reproduce:
1. Have an LDAP allowing anonymous bind
2. set bind_pw to an incorrect value
3. postmap -q john.doe@example.org ldap://etc/postfix/ldap.cf


Actual results:

With an incorrect password, postmap returns 0 matches (in my test it should return 2 matches) because it fallbacks to anonymous, which doesn't have a view on the attribute I'm querying.

In that context, a failure to authenticate would have an impact on routing decisions.


Expected results:

It should return "Invalid credentials"

Additional info:

Comment 4 Ondřej Lysoněk 2016-09-13 14:22 UTC
Created attachment 1200520 [details]
upstream patch

Attaching patch taken from upstream.

Comment 6 Tomáš Hozza 🤓 2017-10-27 15:06:50 UTC
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com


Note You need to log in before you can comment on or make changes to this bug.