[asterisk-bugs] [Asterisk 0017376]: [patch] res_ldap.conf points md5secret to RealmedPassword, but the schema uses AstAccountRealmedPassword
Asterisk Bug Tracker
noreply at bugs.digium.com
Thu Oct 21 08:17:25 CDT 2010
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=17376
======================================================================
Reported By: jcovert
Assigned To: lmadsen
======================================================================
Project: Asterisk
Issue ID: 17376
Category: Resources/res_config_ldap
Reproducibility: always
Severity: major
Priority: normal
Status: closed
Asterisk Version: 1.6.2.8-rc1
JIRA:
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2010-05-22 11:17 CDT
Last Modified: 2010-10-21 08:17 CDT
======================================================================
Summary: [patch] res_ldap.conf points md5secret to
RealmedPassword, but the schema uses AstAccountRealmedPassword
Description:
The LDAP schema supplied with asterisk defines certain attribute names to
be used for LDAP realtime authentication. LDAP only allows entries to be
added with attributes named in the schema.
The schema expects the MD5 password to be AstAccountRealmedPassword;
however, the config file contains the line "md5secret = RealmedPassword".
This error may have been introduced as a workaround to asterisk crashing if
AstAccountRealmedPassword was used (see issue 12163), but that problem has
been fixed by a patch made to res_config_ldap.c.
With the config file as supplied, AstAccountRealmedPassword is ignored.
Since it's not possible (without changing the schema) to enter an attribute
named "RealmedPassword", md5secret has no match in LDAP, and the only
checking done is for a valid username -- no password check at all.
The result of this, for one of my clients, was 2412 calls to Freetown,
Sierra Leone, for a total of 34,980 minutes of time charged by their ITSP,
at $0.25/minute, (about $9,000) all in the brief period from 4:00 am to
9:46 am yesterday.
Patch supplied.
/john
======================================================================
Relationships ID Summary
----------------------------------------------------------------------
related to 0012163 Asterisk segfaults when 'md5secret = us...
======================================================================
----------------------------------------------------------------------
(0128279) svnbot (reporter) - 2010-10-21 08:17
https://issues.asterisk.org/view.php?id=17376#c128279
----------------------------------------------------------------------
Repository: asterisk
Revision: 292559
_U trunk/
U trunk/configs/res_ldap.conf.sample
------------------------------------------------------------------------
r292559 | lmadsen | 2010-10-21 08:17:24 -0500 (Thu, 21 Oct 2010) | 21
lines
Merged revisions 292557 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.8
................
r292557 | lmadsen | 2010-10-21 08:12:19 -0500 (Thu, 21 Oct 2010) | 14
lines
Merged revisions 292556 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
........
r292556 | lmadsen | 2010-10-21 08:11:52 -0500 (Thu, 21 Oct 2010) | 6
lines
Change res_ldap.sample.conf to match the schema.
(closes issue https://issues.asterisk.org/view.php?id=17376)
Reported by: jcovert
Patches:
res_ldap.conf.sample.patch uploaded by jcovert (license 551)
........
................
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=292559
Issue History
Date Modified Username Field Change
======================================================================
2010-10-21 08:17 svnbot Checkin
2010-10-21 08:17 svnbot Note Added: 0128279
======================================================================
More information about the asterisk-bugs
mailing list