[Pkg-freeipa-devel] Bug#912224: since update 1.3.3.5-4+deb8u5 php ldap authentification failure
Jan Kowalsky
jankow at datenkollektiv.net
Mon Oct 29 13:16:15 GMT 2018
Package: 389-ds
Version: 1.3.3.5-4+deb8u5
Severity: high
since 26.10.2018 our nextcloud installations can't authenticate against
389-ds anymore. This seems to have an relation to the latest update in
389-ds - it happend after we applied these two updates:
389-ds-base (1.3.3.5-4+deb8u5) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* Fix regression introduced by +deb8u4: checking of empty attributes
causes crash.
-- Hugo Lefeuvre <hle at debian.org> Thu, 25 Oct 2018 13:03:54 +0200
389-ds-base (1.3.3.5-4+deb8u4) jessie-security; urgency=high
* Non-maintainer upload by the LTS Team.
* CVE-2018-14648: A specially crafted search query could lead to
excessive CPU consumption in the do_search() function. An
unauthenticated attacker could leverage this flaw to cause a
denial of service.
-- Hugo Lefeuvre <hle at debian.org> Wed, 24 Oct 2018 17:16:21 +0200
On the php-side (nextcloud we get the error:
Result is: Protocol error (2) at
\/opt\/nextcloud-demo\/apps\/user_ldap\/lib\/LDAP.php
On the 389-ds side we find in access log "invalid attribute request":
[26/Oct/2018:18:29:19 +0200] conn=66 op=0 BIND
dn="uid=owncloud-bind,ou=Special Users,dc=example,dc=net" method=128
version=3
[26/Oct/2018:18:29:19 +0200] conn=66 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=owncloud-bind,ou=special users,dc=example,dc=net"
[26/Oct/2018:18:29:19 +0200] conn=66 op=1 SRCH base="(null)" scope=2
filter="(&(|(objectClass=inetorgperson))(|(mail=demo at example.org)))",
invalid attribute request
[26/Oct/2018:18:29:19 +0200] conn=66 op=1 RESULT err=2 tag=101
nentries=0 etime=0
[26/Oct/2018:18:29:19 +0200] conn=66 op=2 SRCH base="(null)" scope=2
filter="(&(|(objectClass=inetorgperson))(|(mail=1d0b3c01-fd3f11e4-a213ad4c-cdc1d3d2)))",
invalid attribute request
[26/Oct/2018:18:29:19 +0200] conn=66 op=2 RESULT err=2 tag=101
nentries=0 etime=0
[26/Oct/2018:18:29:19 +0200] conn=66 op=3 SRCH base="(null)" scope=2
filter="(&(|(objectClass=inetorgperson))(|(mail=1d0b3c01-fd3f11e4-a213ad4c-cdc1d3d2)))",
invalid attribute request
[26/Oct/2018:18:29:19 +0200] conn=66 op=3 RESULT err=2 tag=101
nentries=0 etime=0
More information about the Pkg-freeipa-devel
mailing list