OID 11g External Authentication Plugin to Novell eDirectory Incorrectly Allows Binds Without a Password | Using nullbyte File
Last updated on MARCH 08, 2017
Applies to:Oracle Internet Directory - Version 11.1.1 and later
Information in this document applies to any platform.
Oracle Internet Directory (OID) 11g.
OID External Authentication plugin to Novell eDirectory (eDir) is translating "nullbyte" binds to "anonymous" binds when handing over to the external LDAP for delegated authentication.
Novell eDir correctly returns "Invalid credentials" (ldap error code 49) for binds using nullbyte file, but OID external authentication plugin seems to treat bind attempts using nullbyte as "anonymous bind," and the OID plugin receives a successful result code of "0" instead of "49".
Changing the OID server anonymous bind setting (orclAnonymousBindsFlag) to a differnt value does not change the behavior.
This only reproduces using OS/Linux native ldap client tools (ldapsearch, ldapmodify under /usr/bin), but not with Oracle/OID's ldap tools (under $ORACLE_HOME/bin).
Below is a sample attempt against OID using nullbyte file:
3. Attempt ldapsearch/ldapmodify commands as above.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms