Bug 836386 - slapi_ldap_bind() doesn't check bind results
Summary: slapi_ldap_bind() doesn't check bind results
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
URL:
Whiteboard:
: 836385 (view as bug list)
Depends On:
Blocks: 856089
TreeView+ depends on / blocked
 
Reported: 2012-06-28 21:44 UTC by Nathan Kinder
Modified: 2018-12-06 14:47 UTC (History)
2 users (show)

Fixed In Version: 389-ds-base-1.2.11.12-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Internally, we only checked the bind result, if LDAP controls were passed in for internal connections Consequence: We would report success regardless if there was an error. Fix: Always check the result, regardless if control were passed in or not. Result: Correct bind result
Clone Of:
: 856089 (view as bug list)
Environment:
Last Closed: 2013-02-21 08:19:58 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0503 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2013-02-21 08:18:44 UTC

Description Nathan Kinder 2012-06-28 21:44:49 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/399

The slapi_ldap_bind() function does not properly check the bind operation results.  It currently only calls ldap_parse_result() if returnedctrls was passed in by the caller.  We need to call ldap_parse_result() even if we don't need to get the returned controls, as it's how we get the LDAP response code for the BIND operation.  With the current code, slapi_ldap_bind() will end up returning 0 for a failed BIND operation if returnedctrls is not passed in.

Comment 1 Nathan Kinder 2012-07-02 20:14:38 UTC
*** Bug 836385 has been marked as a duplicate of this bug. ***

Comment 2 Jenny Severance 2012-07-09 19:20:48 UTC
Please add steps to reproduce this bug

Comment 3 mreynolds 2012-08-24 15:53:10 UTC
Created testcase (bug836386()) in mmrepl/accept/ as replication uses slapi_ldap_bind.

Comment 5 Jenny Severance 2013-01-14 15:31:39 UTC
verified ::

200|0 24 17:32:28|TP Start
520|0 24 16496 1 1|
520|0 24 16496 1 2|bug836386 - make sure slapi_ldap_bind complains when an invalid password is used
520|0 24 16496 1 3|bug836386 Restore agreement for S2->S1: SIMPLE to SSL
520|0 24 16496 1 4|bug836386 Restored
520|0 24 16496 1 5|slapi_ldap_bind correctly indentified the failure, nsDS5ReplicaCredentials is correctly restored to secret12, Return code-0
520|0 24 16496 1 6|TestCase [bug836386] result-> [PASS]
220|0 24 0 17:32:41|PASS

version :: 389-ds-base-1.2.11.15-8.el6

Comment 6 errata-xmlrpc 2013-02-21 08:19:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html


Note You need to log in before you can comment on or make changes to this bug.