[asterisk-bugs] [Asterisk 0017376]: res_ldap.conf points md5secret to RealmedPassword, but the schema uses AstAccountRealmedPassword

Asterisk Bug Tracker noreply at bugs.digium.com
Sat May 22 11:17:40 CDT 2010


The following issue has been SUBMITTED. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17376 
====================================================================== 
Reported By:                jcovert
Assigned To:                suretec
====================================================================== 
Project:                    Asterisk
Issue ID:                   17376
Category:                   Resources/res_config_ldap
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     assigned
Asterisk Version:           1.6.2.8-rc1 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-05-22 11:17 CDT
Last Modified:              2010-05-22 11:17 CDT
====================================================================== 
Summary:                    res_ldap.conf points md5secret to RealmedPassword,
but the schema uses AstAccountRealmedPassword
Description: 
The LDAP schema supplied with asterisk defines certain attribute names to
be used for LDAP realtime authentication.  LDAP only allows entries to be
added with attributes named in the schema.

The schema expects the MD5 password to be AstAccountRealmedPassword;
however, the config file contains the line "md5secret = RealmedPassword". 
This error may have been introduced as a workaround to asterisk crashing if
AstAccountRealmedPassword was used (see issue 12163), but that problem has
been fixed by a patch made to res_config_ldap.c.

With the config file as supplied, AstAccountRealmedPassword is ignored. 
Since it's not possible (without changing the schema) to enter an attribute
named "RealmedPassword", md5secret has no match in LDAP, and the only
checking done is for a valid username -- no password check at all.

The result of this, for one of my clients, was 2412 calls to Freetown,
Sierra Leone, for a total of 34,980 minutes of time charged by their ITSP,
at $0.25/minute, (about $9,000) all in the brief period from 4:00 am to
9:46 am yesterday.

Patch supplied.

/john

====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-05-22 11:17 jcovert        New Issue                                    
2010-05-22 11:17 jcovert        Status                   new => assigned     
2010-05-22 11:17 jcovert        Assigned To               => suretec         
2010-05-22 11:17 jcovert        Asterisk Version          => 1.6.2.8-rc1     
2010-05-22 11:17 jcovert        Regression                => No              
2010-05-22 11:17 jcovert        SVN Branch (only for SVN checkouts, not tarball
releases) => N/A             
======================================================================




More information about the asterisk-bugs mailing list