OID 11g External Authentication Plugin to Novell eDirectory Incorrectly Allows Binds Without a Password | Using nullbyte File
(Doc ID 1645461.1)
Last updated on FEBRUARY 15, 2019
Applies to:Oracle Internet Directory - Version 11.1.1 and later
Information in this document applies to any platform.
Oracle Internet Directory (OID) 11g.
OID External Authentication plugin to Novell eDirectory (eDir) is translating "nullbyte" binds to "anonymous" binds when handing over to the external LDAP for delegated authentication.
Novell eDir correctly returns "Invalid credentials" (ldap error code 49) for binds using nullbyte file, but OID external authentication plugin seems to treat bind attempts using nullbyte as "anonymous bind," and the OID plugin receives a successful result code of "0" instead of "49".
Changing the OID server anonymous bind setting (orclAnonymousBindsFlag) to a differnt value does not change the behavior.
This only reproduces using OS/Linux native ldap client tools (ldapsearch, ldapmodify under /usr/bin), but not with Oracle/OID's ldap tools (under $ORACLE_HOME/bin).
Below is a sample attempt against OID using nullbyte file:
3. Attempt ldapsearch/ldapmodify commands as above.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document