RT RT/krbdev.mit.edu: Ticket #7754 LDAP KDB module uses anonymous bind when following referrals Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7754
Status
open
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
Target_Version
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Mon Nov 4 11:25:08 2013
Starts: Not set
Started: Not set
Last Contact: Not set
Due: Not set
Updated: Mon Nov 4 11:25:08 2013 by ghudson
 

 People  
Owner
 Nobody
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Nov  4 11:25:08 2013  ghudson - Ticket created    
     
Subject: LDAP KDB module uses anonymous bind when following referrals

The LDAP KDB module uses OpenLDAP or a similar library.  If the module
performs a search or update which results in a referral to another
server, the referral is handled internally by the library.  By default,
the library makes an anonymous bind to the new server.  This is not
useful in most scenarios where one would want to use referrals for a
Kerberos database, because it is rarely appropriate to make Kerberos data
available to anonymous clients.

We can control how referral binds take place by calling
ldap_set_rebind_proc with an appropriate callback.  We should probably
set a callback which uses the same credentials as we use to bind to the
initial server.


Download (untitled) 678b