From: | Dominique Laigle <dlaigle@gmail.com> |
Date: | Tue, 1 Mar 2011 12:23:22 +0100 |
Subject: | Kerberos 1.9 : Bug in LDAP plugin in libkdb_ldap |
To: | krb5-bugs@mit.edu |
To: krb5-bugs@mit.edu
Subject: misspelled "Kerberos" in title of installation guide
From: dlaigle@gmail.com
Reply-To: dlaigle@gmail.com
System: Solaris 10 (SPARC,x86) & AIX (5.3, 6.1)
Machine: T52220
Using OpenLDAP 2.4.23, Build 32 bit on Solaris, 64 bit on AIX,
both with gcc
>Description:
When principal names are badly formed, ending with "("
kdc loops on initiating new LDAP connection, which leads to saturate
slapd up to the max connections possible (and make it to ignore all
other incoming requests = DoS on LDAP)
>How-To-Repeat:
create badly formed principal name, say "foo(" and get
the TGT with kinit.
>Fix:
*** Explanations
All principal lookup ends up in LDAP_SEARCH_1 defined in
kdb_ldap.h:
#define LDAP_SEARCH_1(...) \
do { \
st = ldap_search_ext_s(...); \
if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
[...]
} \
} while (translate_ldap_error(st, OP_SEARCH) ==
KRB5_KDB_ACCESS_ERROR && tempst == 0);
1. So long "translate_ldap_error" returns KRB5_KDB_ACCESS_ERROR,
LDAP_SEARCH_1 will loop
and initiate a new LDAP connection with "krb5_ldap_rebind".
2. When the filter is not correct - this appears when the principal
name ends with "(" -, "ldap_search_ext_s" returns LDAP_FILTER_ERROR,
value "-7". The function "translate_ldap_error" defined in ldap_err.c
doesn't catch this case and considers it as "LDAP_API_ERROR". Thus, in
our case of badly named principals, "translate_ldap_error" always
returns KRB5_KDB_ACCESS_ERROR making LDAP_SEARCH_1 to loop after
having initiated a new connection.
*** Fix proposal:
Change ldap_err.c making "translate_ldap_error" to return another
error than KRB5_KDB_ACCESS_ERROR.
I propose to add one statment forcing the return code to "No ENTRY" as
showed in the diff -u hereafter:
--- ldap_err.c.org Tue Mar 1 11:39:36 2011
+++ ldap_err.c Tue Mar 1 11:40:15 2011
@@ -139,6 +139,7 @@
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_REFERRAL:
+ case LDAP_FILTER_ERROR:
return KRB5_KDB_NOENTRY;
case LDAP_ADMINLIMIT_EXCEEDED:
Regards
- Dominique Laigle
Subject: misspelled "Kerberos" in title of installation guide
From: dlaigle@gmail.com
Reply-To: dlaigle@gmail.com
Show quoted text
>Submitter-Id: BULL Luxembourg
>Originator: Dominique Laigle
>Organization:
BULL Luxembourg SA>Originator: Dominique Laigle
>Organization:
Show quoted text
>Confidential: no
>Synopsis: Bug in kdb_ldap::ldap_err.c
>Severity: critical
>Priority: high
>Category: krb5-kdc
>Class: sw-bug
>Release: 1.9 stable
>Environment:
<machine, os, target, libraries (multiple lines)>>Synopsis: Bug in kdb_ldap::ldap_err.c
>Severity: critical
>Priority: high
>Category: krb5-kdc
>Class: sw-bug
>Release: 1.9 stable
>Environment:
System: Solaris 10 (SPARC,x86) & AIX (5.3, 6.1)
Machine: T52220
Using OpenLDAP 2.4.23, Build 32 bit on Solaris, 64 bit on AIX,
both with gcc
>Description:
When principal names are badly formed, ending with "("
kdc loops on initiating new LDAP connection, which leads to saturate
slapd up to the max connections possible (and make it to ignore all
other incoming requests = DoS on LDAP)
>How-To-Repeat:
create badly formed principal name, say "foo(" and get
the TGT with kinit.
>Fix:
*** Explanations
All principal lookup ends up in LDAP_SEARCH_1 defined in
kdb_ldap.h:
#define LDAP_SEARCH_1(...) \
do { \
st = ldap_search_ext_s(...); \
if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
[...]
} \
} while (translate_ldap_error(st, OP_SEARCH) ==
KRB5_KDB_ACCESS_ERROR && tempst == 0);
1. So long "translate_ldap_error" returns KRB5_KDB_ACCESS_ERROR,
LDAP_SEARCH_1 will loop
and initiate a new LDAP connection with "krb5_ldap_rebind".
2. When the filter is not correct - this appears when the principal
name ends with "(" -, "ldap_search_ext_s" returns LDAP_FILTER_ERROR,
value "-7". The function "translate_ldap_error" defined in ldap_err.c
doesn't catch this case and considers it as "LDAP_API_ERROR". Thus, in
our case of badly named principals, "translate_ldap_error" always
returns KRB5_KDB_ACCESS_ERROR making LDAP_SEARCH_1 to loop after
having initiated a new connection.
*** Fix proposal:
Change ldap_err.c making "translate_ldap_error" to return another
error than KRB5_KDB_ACCESS_ERROR.
I propose to add one statment forcing the return code to "No ENTRY" as
showed in the diff -u hereafter:
--- ldap_err.c.org Tue Mar 1 11:39:36 2011
+++ ldap_err.c Tue Mar 1 11:40:15 2011
@@ -139,6 +139,7 @@
return KRB5_KDB_CONSTRAINT_VIOLATION;
case LDAP_REFERRAL:
+ case LDAP_FILTER_ERROR:
return KRB5_KDB_NOENTRY;
case LDAP_ADMINLIMIT_EXCEEDED:
Regards
- Dominique Laigle