[asterisk-bugs] [Asterisk 0017376]: [patch] res_ldap.conf points md5secret to RealmedPassword, but the schema uses AstAccountRealmedPassword

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Oct 21 08:17:25 CDT 2010


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17376 
====================================================================== 
Reported By:                jcovert
Assigned To:                lmadsen
====================================================================== 
Project:                    Asterisk
Issue ID:                   17376
Category:                   Resources/res_config_ldap
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     closed
Asterisk Version:           1.6.2.8-rc1 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
Resolution:                 fixed
Fixed in Version:           
====================================================================== 
Date Submitted:             2010-05-22 11:17 CDT
Last Modified:              2010-10-21 08:17 CDT
====================================================================== 
Summary:                    [patch] res_ldap.conf points md5secret to
RealmedPassword, but the schema uses AstAccountRealmedPassword
Description: 
The LDAP schema supplied with asterisk defines certain attribute names to
be used for LDAP realtime authentication.  LDAP only allows entries to be
added with attributes named in the schema.

The schema expects the MD5 password to be AstAccountRealmedPassword;
however, the config file contains the line "md5secret = RealmedPassword". 
This error may have been introduced as a workaround to asterisk crashing if
AstAccountRealmedPassword was used (see issue 12163), but that problem has
been fixed by a patch made to res_config_ldap.c.

With the config file as supplied, AstAccountRealmedPassword is ignored. 
Since it's not possible (without changing the schema) to enter an attribute
named "RealmedPassword", md5secret has no match in LDAP, and the only
checking done is for a valid username -- no password check at all.

The result of this, for one of my clients, was 2412 calls to Freetown,
Sierra Leone, for a total of 34,980 minutes of time charged by their ITSP,
at $0.25/minute, (about $9,000) all in the brief period from 4:00 am to
9:46 am yesterday.

Patch supplied.

/john

======================================================================
Relationships       ID      Summary
----------------------------------------------------------------------
related to          0012163 Asterisk segfaults when 'md5secret = us...
====================================================================== 

---------------------------------------------------------------------- 
 (0128279) svnbot (reporter) - 2010-10-21 08:17
 https://issues.asterisk.org/view.php?id=17376#c128279 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 292559

_U  trunk/
U   trunk/configs/res_ldap.conf.sample

------------------------------------------------------------------------
r292559 | lmadsen | 2010-10-21 08:17:24 -0500 (Thu, 21 Oct 2010) | 21
lines

Merged revisions 292557 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/branches/1.8

................
  r292557 | lmadsen | 2010-10-21 08:12:19 -0500 (Thu, 21 Oct 2010) | 14
lines
  
  Merged revisions 292556 via svnmerge from 
  https://origsvn.digium.com/svn/asterisk/branches/1.6.2
  
  ........
    r292556 | lmadsen | 2010-10-21 08:11:52 -0500 (Thu, 21 Oct 2010) | 6
lines
    
    Change res_ldap.sample.conf to match the schema.
    
    (closes issue https://issues.asterisk.org/view.php?id=17376)
    Reported by: jcovert
    Patches:
          res_ldap.conf.sample.patch uploaded by jcovert (license 551)
  ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=292559 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-10-21 08:17 svnbot         Checkin                                      
2010-10-21 08:17 svnbot         Note Added: 0128279                          
======================================================================




More information about the asterisk-bugs mailing list