OID 11g External Authentication Plugin to Novell eDirectory Incorrectly Allows Binds Without a Password | Using nullbyte File
(Doc ID 1645461.1)
Last updated on MARCH 08, 2017
Applies to:Oracle Internet Directory - Version 11.1.1 and later
Information in this document applies to any platform.
Oracle Internet Directory (OID) 11g.
OID External Authentication plugin to Novell eDirectory (eDir) is translating "nullbyte" binds to "anonymous" binds when handing over to the external LDAP for delegated authentication.
Novell eDir correctly returns "Invalid credentials" (ldap error code 49) for binds using nullbyte file, but OID external authentication plugin seems to treat bind attempts using nullbyte as "anonymous bind," and the OID plugin receives a successful result code of "0" instead of "49".
Changing the OID server anonymous bind setting (orclAnonymousBindsFlag) to a differnt value does not change the behavior.
This only reproduces using OS/Linux native ldap client tools (ldapsearch, ldapmodify under /usr/bin), but not with Oracle/OID's ldap tools (under $ORACLE_HOME/bin).
Below is a sample attempt against OID using nullbyte file:
3. Attempt ldapsearch/ldapmodify commands as above.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.|