Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 456456

Summary: There is no way to tell apart an unauthenticated bind from an anonymous bind
Product: [Retired] 389 Reporter: Loris Santamaria <loris.santamaria>
Component: Security - Access Control (ACL)Assignee: Rich Megginson <rmeggins>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: low    
Version: 1.1.1CC: benl, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-07 22:28:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 249650    
Attachments:
Description Flags
Plugin to disable unauthenticated binds none

Description Loris Santamaria 2008-07-23 19:51:09 UTC 
if one does a search in the directory with a valid DN and an empty password, the
bind succeeds. For example

ldapsearch -x -D "uid=jsmith,ou=people,dc=company" -w ""

Now while this behaviour is permitted, altough discouraged, in the relevant
RFCs, the real problem is that there is not a way to disable this
"unauthenticated binds" without disabling truly anonymous access altogether. 

As most web apps test if the user can bind to the directory to perform user
authentication this behaviour of FDS may lead to users getting access to
sensitive data without providing a password. Yes, that would be because of badly
written client application but we should disable this behaviour and not expect
that application will do always the right thing.

Here is the relevant RFC:

http://rfc-ref.org/RFC-TEXTS/4513/chapter5.html#d4e443849
Comment 1 Loris Santamaria 2008-07-24 22:09:07 UTC 
Created attachment 312602 [details]
Plugin to disable unauthenticated binds
Comment 2 Loris Santamaria 2008-07-24 22:10:23 UTC 
The above plugin checks if the users sends a DN but no password (unauthenticated
bind), and if it is the case, it returns an error code 32 (Unwilling to perform)

Tested with anonymous connections, unauthenticated binds, plain binds, and SASL
GSSAPI connections.

Feel free to modify, use, or trash the plugin at your will.
Comment 3 Rich Megginson 2008-07-24 23:04:35 UTC 
Thanks!  We'll have a look at it once we get a little time.

We will need a CLA to accept this code -
http://directory.fedoraproject.org/wiki/Contributing - if you already have an
account with the Fedora Account System, you can fill out the CLA on-line - if
you do so, or if you have already done this, just let me know what your FAS
account name is - https://admin.fedoraproject.org/accounts/
Comment 4 Loris Santamaria 2008-07-25 02:53:24 UTC 
I've registered an account, and the account name is loris
Comment 5 Nathan Kinder 2008-11-07 22:28:52 UTC 
This is a duplicate of 316241.  We definitely appreciate the contribution, but the fix in the other bug is in the core server code with a configuration attribute to control the behavior as opposed to a new separate plug-in.  For a feature this simple, it is preferred to not have to have an entire plug-in, so we are going to go with that approach.

*** This bug has been marked as a duplicate of bug 316241 ***