[asterisk-bugs] [Asterisk 0017376]: res_ldap.conf points md5secret to RealmedPassword, but the schema uses AstAccountRealmedPassword
Asterisk Bug Tracker
noreply at bugs.digium.com
Sat May 22 11:17:40 CDT 2010
The following issue has been SUBMITTED.
======================================================================
https://issues.asterisk.org/view.php?id=17376
======================================================================
Reported By: jcovert
Assigned To: suretec
======================================================================
Project: Asterisk
Issue ID: 17376
Category: Resources/res_config_ldap
Reproducibility: always
Severity: major
Priority: normal
Status: assigned
Asterisk Version: 1.6.2.8-rc1
JIRA:
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2010-05-22 11:17 CDT
Last Modified: 2010-05-22 11:17 CDT
======================================================================
Summary: res_ldap.conf points md5secret to RealmedPassword,
but the schema uses AstAccountRealmedPassword
Description:
The LDAP schema supplied with asterisk defines certain attribute names to
be used for LDAP realtime authentication. LDAP only allows entries to be
added with attributes named in the schema.
The schema expects the MD5 password to be AstAccountRealmedPassword;
however, the config file contains the line "md5secret = RealmedPassword".
This error may have been introduced as a workaround to asterisk crashing if
AstAccountRealmedPassword was used (see issue 12163), but that problem has
been fixed by a patch made to res_config_ldap.c.
With the config file as supplied, AstAccountRealmedPassword is ignored.
Since it's not possible (without changing the schema) to enter an attribute
named "RealmedPassword", md5secret has no match in LDAP, and the only
checking done is for a valid username -- no password check at all.
The result of this, for one of my clients, was 2412 calls to Freetown,
Sierra Leone, for a total of 34,980 minutes of time charged by their ITSP,
at $0.25/minute, (about $9,000) all in the brief period from 4:00 am to
9:46 am yesterday.
Patch supplied.
/john
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2010-05-22 11:17 jcovert New Issue
2010-05-22 11:17 jcovert Status new => assigned
2010-05-22 11:17 jcovert Assigned To => suretec
2010-05-22 11:17 jcovert Asterisk Version => 1.6.2.8-rc1
2010-05-22 11:17 jcovert Regression => No
2010-05-22 11:17 jcovert SVN Branch (only for SVN checkouts, not tarball
releases) => N/A
======================================================================
More information about the asterisk-bugs
mailing list