Ticket #495 (closed defect: fixed)

Opened 4 years ago

Last modified 2 years ago

ldap referrals are only ever followed anonymously

Reported by: nalin Owned by: sbose
Priority: blocker Milestone: SSSD 1.5.0
Component: SSSD Version: 1.2.0
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: Red Hat Bugzilla: 0
Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:

Description

I see that sssd supports enabling referral support in libldap, but sssd doesn't seem to be registering a rebind callback (with ldap_set_rebind_proc) for libldap to use when it needs to bind to a new server.

If sssd doesn't do that, then referrals to other servers will be done anonymously, which I don't think is going to provide the desired results if sssd has been configured to authenticate to its primary server.

My personal preference would be for sssd to not depend on libldap's ability to chase referrals, but to queue up referral responses itself for following after processing results of the currently-executing search, and handling server binds directly as a part of that. That said, providing a callback may simply be more expedient.

A note of warning: beware of reintroducing CVE-2005-2069 when you're following referrals.

Change History

comment:1 Changed 4 years ago by sgallagh

  • Milestone changed from NEEDS_TRIAGE to SSSD 1.4.0

comment:2 Changed 4 years ago by dpal

  • Owner changed from somebody to jhrozek

comment:3 Changed 4 years ago by sgallagh

  • Priority changed from major to critical

Raising priority to critical.

This issue is hitting Active Directory users particularly hard, since forests are almost always configured to require authentication for referrals.

comment:4 Changed 4 years ago by sbose

  • Owner changed from jhrozek to sbose

comment:5 Changed 3 years ago by sgallagh

  • Priority changed from critical to blocker

comment:6 Changed 3 years ago by sbose

  • Resolution set to fixed
  • Status changed from new to closed

comment:7 Changed 2 years ago by dpal

  • Red Hat Bugzilla set to 0
Note: See TracTickets for help on using tickets.