It was reported [1],[2],[3] that in certain configurations, OpenLDAP would authenticate with an invalid password. If an OpenLDAP slave received an authenticated bind request with an invalid password that was forwarded to the master LDAP server, the LDAP slave would return a successful bind (as an anonymous user) rather than return a failure (as the user to authenticate). This is due to a chain overlay being set on the frontend, with a ppolicy configured with ppolicy_forward_updates. While this is not a security issue regarding LDAP contents, due to the authentication as an unprivileged anonymous user, when LDAP returns a successful bind to other external programs (such as programs performing authentication, such as pam_ldap or SSSD) it could allow a user to login with an invalid password (in that case, if LDAP is used for user authentication, it could lead to a successful login with an invalid password). This was already corrected upstream [4] for unrelated reasons. References: [1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607 [2] http://www.openldap.org/lists/openldap-technical/201004/msg00247.html [3] http://secunia.com/advisories/43331/ [4] http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/chain.c.diff?r1=1.76&r2=1.77&hideattic=1&sortbydate=0
The upstream patch [4] applies to OpenLDAP as provided with RHEL5 and 6; it does not apply to RHEL4 and the code is quite different so I don't believe OpenLDAP 2.2.x is affected, but need a second set of eyes to verify.
Created openldap tracking bugs for this issue Affects: fedora-all [bug 680483]
This issue does not affect OpenLDAP 2.2.x (as found in Red Hat Enterprise Linux 4) because it does not contain ppolicy overlay support.
Already fixed in upstream 2.4.24, for Fedora this means: F16 not affected F14 affected, but 2.4.24 is waiting in updates testing F14 affected F13 affected
F13 resolved in: openldap-2.4.21-12.fc13 F14 resolved in: openldap-2.4.23-9.fc14
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0346 https://rhn.redhat.com/errata/RHSA-2011-0346.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0347 https://rhn.redhat.com/errata/RHSA-2011-0347.html