Ticket #168 (closed enhancement: fixed)

Opened 2 years ago

Last modified 2 years ago

minssf should not apply to rootdse

Reported by: rmeggins Owned by: nhosoi
Priority: major Milestone: 1.2.10.a7
Component: Directory Server Version: 1.2.10
Keywords: Cc:
Blocked By: Blocking:
Review: ack Ticket origin:
Red Hat Bugzilla: 746758

Description

https://bugzilla.redhat.com/show_bug.cgi?id=746758

Description of problem:
LDAP Standard requires that rootdse be always available anonymously and
unencrypted.

389 DS prevents the lookup when minssf is set and an unencrypted query for
rootdse is performed.

How reproducible:
Always

Steps to Reproduce:
1. Set minssf in dse.ldif
2. ldapsearch -x -H ldap://`hostname` -s base -b ""
3. ldap_bind: Server is unwilling to perform (53)
        additional info: Minimum SSF not met.

Actual results:
ldap_bind: Server is unwilling to perform (53)
        additional info: Minimum SSF not met.

Expected results:
To return results for rootdse

Additional info:

Attachments

0001-Trac-Ticket-168-minssf-should-not-apply-to-rootdse.patch (12.2 KB) - added by nhosoi 2 years ago.
git patch file (master)

Change History

comment:1 Changed 2 years ago by rmeggins

comment:2 Changed 2 years ago by rmeggins

  • Milestone changed from NEEDS_TRIAGE to 1.2.10.a7

batch move to milestone 1.2.10.a7

comment:3 Changed 2 years ago by rmeggins

  • Owner rmeggins deleted

comment:4 Changed 2 years ago by nhosoi

  • Owner set to nhosoi
  • Status changed from new to assigned

Changed 2 years ago by nhosoi

git patch file (master)

comment:5 Changed 2 years ago by nhosoi

  • Review changed from Needs Review to review?

Fix description: This patch is for supporting a request to
allow accessing rootdse with lower ssf than minssf configuration
setting.
. introduced a on/off type config parameter:

nsslapd-minssf-exclude-rootdse.

. by default, the value is off.
. when it is off, the server's behavior remains intact.
. when it is on, the server allows to access rootdse even if

the ssf value is less than nsslapd-minssf value.

comment:6 Changed 2 years ago by rmeggins

  • Review changed from review? to ack

comment:7 Changed 2 years ago by nhosoi

  • Status changed from assigned to closed
  • Resolution set to fixed

Reviewed by Rich (Thank you!!)

Pushed to master.

$ git merge trac168
Updating ed87077..48e99c1
Fast-forward

ldap/servers/slapd/bind.c | 13 +++++++++++--
ldap/servers/slapd/connection.c | 10 +++++++++-
ldap/servers/slapd/libglobs.c | 35 +++++++++++++++++++++++++++++++++++
ldap/servers/slapd/modify.c | 22 ++++++++++++++++++++++
ldap/servers/slapd/proto-slap.h | 2 ++
ldap/servers/slapd/search.c | 29 ++++++++++++++++++++++++++++-
ldap/servers/slapd/slap.h | 2 ++
7 files changed, 109 insertions(+), 4 deletions(-)

$ git push
Counting objects: 23, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (12/12), done.
Writing objects: 100% (12/12), 2.92 KiB, done.
Total 12 (delta 10), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git

ed87077..48e99c1 master -> master

comment:8 Changed 2 years ago by nhosoi

Steps to verify:

  1. minssf-exclude-minssf: off

In cn=config, set the following parameters (assume server is down) and start the server.
nsslapd-allow-anonymous-access: on
nsslapd-minssf: 10
nsslapd-minssf-exclude-rootdse: off
1-1. Simple auth search (-x) by any user against any base dn fails with "Minimum SSF not met".
$ ldapsearch -LLLx -h localhost -p <port> -b "" -s base dn
ldap_bind: Server is unwilling to perform (53)

additional info: Minimum SSF not met.

$ ldapsearch -LLLx -h localhost -p <port> -b "dc=example,dc=com" dn
ldap_bind: Server is unwilling to perform (53)

additional info: Minimum SSF not met.

$ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <pw> -b "" -s base dn
ldap_bind: Server is unwilling to perform (53)

additional info: Minimum SSF not met.

$ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <pw> -b "dc=example,dc=com" dn
ldap_bind: Server is unwilling to perform (53)

additional info: Minimum SSF not met.

  1. minssf-exclude-minssf: on

In cn=config, set the following parameters (assume server is down) and start the server.
nsslapd-allow-anonymous-access: on
nsslapd-minssf: 10
nsslapd-minssf-exclude-rootdse: on
2-1. Simple auth search (-x) by any user against rootdse is allowed, but against any other base dn fails with "Minimum SSF not met".
$ ldapsearch -LLLx -h localhost -p <port> -b "" -s base dn
dn:
$ ldapsearch -LLLx -h localhost -p <port> -b "dc=example,dc=com" -s base dn
Server is unwilling to perform (53)
Additional information: Minimum SSF not met.
$ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <pw> -b "" -s base dn
dn:
$ ldapsearch -LLLx -h localhost -p <port> -D 'cn=directory manager' -w <pw> -b "dc=example,dc=com" -s base dn
Server is unwilling to perform (53)
Additional information: Minimum SSF not met.

comment:9 Changed 20 months ago by nkinder

  • screened set to 1

Added initial screened field value.

Note: See TracTickets for help on using tickets.