Skip Menu |

From: Dominique Laigle <>
Date: Tue, 1 Mar 2011 12:23:22 +0100
Subject: Kerberos 1.9 : Bug in LDAP plugin in libkdb_ldap

Subject: misspelled "Kerberos" in title of installation guide

Show quoted text
>Submitter-Id:  BULL Luxembourg
>Originator:    Dominique Laigle
BULL Luxembourg SA
Show quoted text
>Confidential:  no
>Synopsis:      Bug in kdb_ldap::ldap_err.c
>Severity:      critical
>Priority:      high
>Category:      krb5-kdc
>Class:         sw-bug
>Release:       1.9 stable
        <machine, os, target, libraries (multiple lines)>
     System: Solaris 10 (SPARC,x86) & AIX (5.3, 6.1)
     Machine: T52220
     Using OpenLDAP 2.4.23, Build 32 bit on Solaris, 64 bit on AIX,
both with gcc
             When principal names are badly formed, ending with "("
kdc loops on initiating new LDAP connection, which leads to saturate
slapd up to the max connections possible (and make it to ignore all
other incoming requests = DoS on LDAP)
             create badly formed principal name, say "foo(" and get
the TGT with kinit.

*** Explanations

             All principal lookup ends up in LDAP_SEARCH_1 defined in

#define LDAP_SEARCH_1(...)         \
    do {                                                                \
        st = ldap_search_ext_s(...); \
        if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
            tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
        }                                                               \
    } while (translate_ldap_error(st, OP_SEARCH) ==
KRB5_KDB_ACCESS_ERROR && tempst == 0);

1. So long "translate_ldap_error" returns KRB5_KDB_ACCESS_ERROR,
LDAP_SEARCH_1 will loop
   and initiate a new LDAP connection with "krb5_ldap_rebind".

2. When the filter is not correct - this appears when the principal
name ends with "(" -,  "ldap_search_ext_s" returns LDAP_FILTER_ERROR,
value "-7". The function  "translate_ldap_error" defined in ldap_err.c
doesn't catch this case and considers it as "LDAP_API_ERROR". Thus, in
our case of badly named principals, "translate_ldap_error" always
returns KRB5_KDB_ACCESS_ERROR making LDAP_SEARCH_1 to loop after
having initiated a new connection.

*** Fix proposal:
Change ldap_err.c making "translate_ldap_error" to return another
I propose to add one statment forcing the return code to "No ENTRY" as
showed in the diff -u hereafter:

---      Tue Mar  1 11:39:36 2011
+++ ldap_err.c  Tue Mar  1 11:40:15 2011
@@ -139,6 +139,7 @@
             return KRB5_KDB_CONSTRAINT_VIOLATION;

     case LDAP_REFERRAL:
         return KRB5_KDB_NOENTRY;



- Dominique Laigle
Thanks; this was already fixed in the patch for #6860 (which was for a set of related security