Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

minssf should not apply to rootdse #168

Closed
389-ds-bot opened this issue Sep 12, 2020 · 8 comments
Closed

minssf should not apply to rootdse #168

389-ds-bot opened this issue Sep 12, 2020 · 8 comments
Labels
closed: fixed Migration flag - Issue
Milestone
1.2.10.a7

Comments

@389-ds-bot
Copy link

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/168

https://bugzilla.redhat.com/show_bug.cgi?id=746758

Description of problem:
LDAP Standard requires that rootdse be always available anonymously and
unencrypted.

389 DS prevents the lookup when minssf is set and an unencrypted query for
rootdse is performed.

How reproducible:
Always

Steps to Reproduce:
1. Set minssf in dse.ldif
2. ldapsearch -x -H ldap://`hostname` -s base -b ""
3. ldap_bind: Server is unwilling to perform (53)
        additional info: Minimum SSF not met.

Actual results:
ldap_bind: Server is unwilling to perform (53)
        additional info: Minimum SSF not met.

Expected results:
To return results for rootdse

Additional info:
@389-ds-bot 389-ds-bot added the closed: fixed Migration flag - Issue label Sep 12, 2020
@389-ds-bot 389-ds-bot added this to the 1.2.10.a7 milestone Sep 12, 2020
@389-ds-bot
Copy link
Author

Comment from rmeggins (@richm) at 2012-01-10 01:47:20

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=768086

@389-ds-bot
Copy link
Author

Comment from rmeggins (@richm) at 2012-01-10 06:18:59

batch move to milestone 1.2.10.a7

@389-ds-bot
Copy link
Author

Comment from nhosoi (@nhosoi) at 2012-01-18 08:38:12

git patch file (master)
0001-Trac-Ticket-168-minssf-should-not-apply-to-rootdse.patch

@389-ds-bot
Copy link
Author

Comment from nhosoi (@nhosoi) at 2012-01-18 08:39:08

Fix description: This patch is for supporting a request to
allow accessing rootdse with lower ssf than minssf configuration
setting.
. introduced a on/off type config parameter:
nsslapd-minssf-exclude-rootdse.
. by default, the value is off.
. when it is off, the server's behavior remains intact.
. when it is on, the server allows to access rootdse even if
the ssf value is less than nsslapd-minssf value.

@389-ds-bot
Copy link
Author

Comment from nhosoi (@nhosoi) at 2012-01-19 00:11:22

Reviewed by Rich (Thank you!!)

Pushed to master.

$ git merge trac168
Updating ed87077..48e99c1
Fast-forward
ldap/servers/slapd/bind.c | 13 +++++++++++--
ldap/servers/slapd/connection.c | 10 +++++++++-
ldap/servers/slapd/libglobs.c | 35 +++++++++++++++++++++++++++++++++++
ldap/servers/slapd/modify.c | 22 ++++++++++++++++++++++
ldap/servers/slapd/proto-slap.h | 2 ++
ldap/servers/slapd/search.c | 29 ++++++++++++++++++++++++++++-
ldap/servers/slapd/slap.h | 2 ++
7 files changed, 109 insertions(+), 4 deletions(-)

$ git push
Counting objects: 23, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (12/12), done.
Writing objects: 100% (12/12), 2.92 KiB, done.
Total 12 (delta 10), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
ed87077..48e99c1 master -> master

@389-ds-bot
Copy link
Author

Comment from nhosoi (@nhosoi) at 2012-01-19 01:12:16

Steps to verify:

  1. minssf-exclude-minssf: off
    In cn=config, set the following parameters (assume server is down) and start the server.
    nsslapd-allow-anonymous-access: on
    nsslapd-minssf: 10
    nsslapd-minssf-exclude-rootdse: off
    1-1. Simple auth search (-x) by any user against any base dn fails with "Minimum SSF not met".
    $ ldapsearch -LLLx -h localhost -p -b "" -s base dn
    ldap_bind: Server is unwilling to perform (53)
    additional info: Minimum SSF not met.
    $ ldapsearch -LLLx -h localhost -p -b "dc=example,dc=com" dn
    ldap_bind: Server is unwilling to perform (53)
    additional info: Minimum SSF not met.
    $ ldapsearch -LLLx -h localhost -p -D 'cn=directory manager' -w -b "" -s base dn
    ldap_bind: Server is unwilling to perform (53)
    additional info: Minimum SSF not met.
    $ ldapsearch -LLLx -h localhost -p -D 'cn=directory manager' -w -b "dc=example,dc=com" dn
    ldap_bind: Server is unwilling to perform (53)
    additional info: Minimum SSF not met.

  2. minssf-exclude-minssf: on
    In cn=config, set the following parameters (assume server is down) and start the server.
    nsslapd-allow-anonymous-access: on
    nsslapd-minssf: 10
    nsslapd-minssf-exclude-rootdse: on
    2-1. Simple auth search (-x) by any user against rootdse is allowed, but against any other base dn fails with "Minimum SSF not met".
    $ ldapsearch -LLLx -h localhost -p -b "" -s base dn
    dn:
    $ ldapsearch -LLLx -h localhost -p -b "dc=example,dc=com" -s base dn
    Server is unwilling to perform (53)
    Additional information: Minimum SSF not met.
    $ ldapsearch -LLLx -h localhost -p -D 'cn=directory manager' -w -b "" -s base dn
    dn:
    $ ldapsearch -LLLx -h localhost -p -D 'cn=directory manager' -w -b "dc=example,dc=com" -s base dn
    Server is unwilling to perform (53)
    Additional information: Minimum SSF not met.

@389-ds-bot
Copy link
Author

Comment from nkinder (@nkinder) at 2012-08-28 04:14:32

Added initial screened field value.

@389-ds-bot
Copy link
Author

Comment from nhosoi (@nhosoi) at 2017-02-11 23:11:43

Metadata Update from @nhosoi:

  • Issue assigned to nhosoi
  • Issue set to the milestone: 1.2.10.a7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed: fixed Migration flag - Issue
Projects
None yet
Milestone
1.2.10.a7
Development

No branches or pull requests
1 participant
@389-ds-bot