Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.2:Update
389-ds
0012-Ticket-49336-SECURITY-1.3.5.x-Locked-accou...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0012-Ticket-49336-SECURITY-1.3.5.x-Locked-account-provide.patch of Package 389-ds
From 25a945284df182ad800ef200c6f51e2bf1a5e9f1 Mon Sep 17 00:00:00 2001 From: William Brown <firstyear@redhat.com> Date: Tue, 1 Aug 2017 16:21:33 +1000 Subject: [PATCH 12/14] Ticket 49336 - SECURITY 1.3.5.x: Locked account provides different return code Backport to 1.3.5.x Bug Description: The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. During this lockout, if you bind with a successful password, a different error code is returned. This means that an attacker has no ratelimit or penalty during an account lock, and can continue to attempt passwords via bruteforce, using the change in return code to ascertain a sucessful password auth. Fix Description: Move the account lock check *before* the password bind check. If the account is locked, we do not mind disclosing this as the attacker will either ignore it (and will not bind anyway), or they will be forced to back off as the attack is not working preventing the bruteforce. https://pagure.io/389-ds-base/issue/49336 Author: wibrown Review by: mreynolds (thanks) --- ldap/servers/slapd/bind.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index 399eaf7d3..33bb49827 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -722,10 +722,7 @@ do_bind( Slapi_PBlock *pb ) } slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database ); set_db_default_result_handlers(pb); - if ( (rc != 1) && - (auto_bind || - (((rc = (*be->be_bind)( pb )) == SLAPI_BIND_SUCCESS) || - (rc == SLAPI_BIND_ANONYMOUS))) ) { + if ( rc != 1) { long t; char* authtype = NULL; /* rc is SLAPI_BIND_SUCCESS or SLAPI_BIND_ANONYMOUS */ @@ -783,6 +780,10 @@ do_bind( Slapi_PBlock *pb ) myrc = 0; } if (!auto_bind) { + rc = (*be->be_bind)( pb ); + if (rc != SLAPI_BIND_SUCCESS && rc != SLAPI_BIND_ANONYMOUS) { + goto account_locked; + } /* * There could be a race that bind_target_entry was not added * when bind_target_entry was retrieved before be_bind, but it -- 2.15.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor