1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

8 Commits

Author SHA1 Message Date
Andrew Bartlett
a3aee582a5 CVE-2020-25722 Ensure the structural objectclass cannot be changed
If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.

Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Joseph Sutton
72840a972b CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Volker Lendecke
eb72f887b0 ldap_server: Terminate LDAP connections on krb ticket expiry
See RFC4511 section 4.4.1 and

https://lists.samba.org/archive/cifs-protocol/2020-August/003515.html

for details: Windows terminates LDAP connections when the krb5 ticket
expires, Samba should do the same. This patch slightly deviates from
Windows behaviour by sending a LDAP exop response with msgid 0 that is
ASN1-encoded conforming to RFC4511.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-21 19:14:32 +00:00
Volker Lendecke
35c4bb0b0c torture: Test ldap session expiry
LDAP connections should time out when the kerberos ticket used to authenticate
expires. Windows does this with a RFC4511 section 4.4.1 message (that as of
August 2020 is encoded not according to the RFC) followed by a TCP disconnect.

ldb sees the section 4.4.1 as a protocol violation and returns
LDB_ERR_PROTOCOL_ERROR.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-21 19:14:32 +00:00
Volker Lendecke
ef57bc6d4b torture: Fix ldap.basic multibind test
It gets LDAP_STRONG_AUTH_REQUIRED from current AD servers

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Aug 20 18:44:49 UTC 2020 on sn-devel-184
2020-08-20 18:44:49 +00:00
Volker Lendecke
0c36316ecb torture: Pass DN and password to ldap.basic test
Without this, test_multibind() only gets NULL for userdn and password,
not doing what the test claims. This now fails, because our LDAP
server does not allow plain text binds.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-20 17:20:29 +00:00
Aaron Haslett
64bccb9bca ldap: test for empty attributes list
Test for LDAP request with an empty attribute list.  LDB responds with
no attributes, but LDAP responds with all attributes.  Fix is attached
to the bug below but we can't push it upstream until we've found all
instances of incorrect empty attribute list usage in Samba.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13852

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-06 04:23:51 +00:00
Douglas Bagnall
5a0df7aec6 dsdb/pytest/ldap: revive commented out test for attr size range
The test was presumably commented out because we fail it, and
known-failing it would have hidden the attr-too-short tests that it
was bundled with. If we disentangle them we can knwn-fail it, which
serves as a TODO list.

(passes against WIN2012R2).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-01 05:32:25 +00:00