[Date Prev][Date Next] [Chronological] [Thread] [Top]

internal sasl auxprop plugin used by default



First of all, i wrote this mail to OpenLDAP-software too
look
http://www.openldap.org/lists/openldap-software/200301/msg00455.html
Sorry because the crosspost but my question wasnt answersed and
I think this is really a security related problem.

The problem is, that all sasl auxprop plugin
(and because it the slapd external sasl plugin too)
seems to be used by slapd if the auxprop_plugin sasl option is not set.
(seems as a sasl misbehavior)

Because it, if You have a valid sasl-regexp which maps a sasl id to
a valid dn, then if you use an auxprop based mech, you can authenticate
to that dn with the dn's userPassword attrib as password as it is.

e.g: ldapsearch -U sample -Y DIGEST-MD5 -ZZ userPassword

and you can use password hash's as password
{SSHA}sVBSuRsZ+Iq2GrJcXFon0pCseOG7SA7J
much worse
{SASL}uid@YOUR.DOMAIN

I think it would be nice, that without auxprop_plugin option
only sasldb plugin or none of them to be used by slapd.

Thanks

balsa

p.s: sorry because my broken english