<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 11/05/2014 09:14 PM, Nathaniel McCallum wrote: </div> <blockquote cite="mid:1415218449.7177.14.camel@redhat.com" type="cite"> <pre wrap="">Before this patch users could log in using only the OTP value. This arose because ipapwd_authentication() successfully determined that an empty password was invalid, but 389 itself would see this as an anonymous bind. An anonymous bind would never even get this far in this code, so we simply deny requests with empty passwords. This patch resolves CVE-2014-7828. <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4690">https://fedorahosted.org/freeipa/ticket/4690</a> </pre> <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-devel mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre> </blockquote> Hello Nathaniel, <blockquote>With the DS flag 'nsslapd-allow-unauthenticated-binds', customer have the ability to allows unauthenticated binds and connections. With the fix, a ldapclient bind containing only OTP part will fail even if the flag was set. When ipapwd_pre_bind, stipping the OTP part, detects that the password is zero length, I wonder if it should not test that flag to determine if it should fail or succeed. thanks thierry </blockquote> </body> </html>