OID 11g External Authentication Plugin to Novell eDirectory Incorrectly Allows Binds Without a Password | Using nullbyte File (Doc ID 1645461.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Internet Directory - Version 11.1.1 and later
Information in this document applies to any platform.

Symptoms

Oracle Internet Directory (OID) 11g.

OID External Authentication plugin to Novell eDirectory (eDir) is translating "nullbyte" binds to "anonymous" binds when handing over to the external LDAP for delegated authentication.

Novell eDir correctly returns "Invalid credentials" (ldap error code 49) for binds using nullbyte file, but OID external authentication plugin seems to treat bind attempts using nullbyte as "anonymous bind," and the OID plugin receives a successful result code of "0" instead of "49".

Changing the OID server anonymous bind setting (orclAnonymousBindsFlag) to a differnt value does not change the behavior.

This only reproduces using OS/Linux native ldap client tools (ldapsearch, ldapmodify under /usr/bin), but not with Oracle/OID's ldap tools (under $ORACLE_HOME/bin).


Below is a sample attempt against OID using nullbyte file:

3.  Attempt ldapsearch/ldapmodify commands as above.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms