[Pkg-freeipa-devel] Bug#912224: since update 1.3.3.5-4+deb8u5 php ldap authentification failure

Jan Kowalsky jankow at datenkollektiv.net
Mon Oct 29 13:16:15 GMT 2018 

Package: 389-ds
Version: 1.3.3.5-4+deb8u5
Severity: high

since 26.10.2018 our nextcloud installations can't authenticate against
389-ds anymore. This seems to have an relation to the latest update in
389-ds - it happend after we applied these two updates:


389-ds-base (1.3.3.5-4+deb8u5) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * Fix regression introduced by +deb8u4: checking of empty attributes
    causes crash.

 -- Hugo Lefeuvre <hle at debian.org>  Thu, 25 Oct 2018 13:03:54 +0200

389-ds-base (1.3.3.5-4+deb8u4) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * CVE-2018-14648: A specially crafted search query could lead to
    excessive CPU consumption in the do_search() function. An
    unauthenticated attacker could leverage this flaw to cause a
    denial of service.

 -- Hugo Lefeuvre <hle at debian.org>  Wed, 24 Oct 2018 17:16:21 +0200

On the php-side (nextcloud we get the error:

Result is: Protocol error (2) at
\/opt\/nextcloud-demo\/apps\/user_ldap\/lib\/LDAP.php

On the 389-ds side we find in access log "invalid attribute request":

[26/Oct/2018:18:29:19 +0200] conn=66 op=0 BIND
dn="uid=owncloud-bind,ou=Special Users,dc=example,dc=net" method=128
version=3
[26/Oct/2018:18:29:19 +0200] conn=66 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=owncloud-bind,ou=special users,dc=example,dc=net"
[26/Oct/2018:18:29:19 +0200] conn=66 op=1 SRCH base="(null)" scope=2
filter="(&(|(objectClass=inetorgperson))(|(mail=demo at example.org)))",
invalid attribute request
[26/Oct/2018:18:29:19 +0200] conn=66 op=1 RESULT err=2 tag=101
nentries=0 etime=0
[26/Oct/2018:18:29:19 +0200] conn=66 op=2 SRCH base="(null)" scope=2
filter="(&(|(objectClass=inetorgperson))(|(mail=1d0b3c01-fd3f11e4-a213ad4c-cdc1d3d2)))",
invalid attribute request
[26/Oct/2018:18:29:19 +0200] conn=66 op=2 RESULT err=2 tag=101
nentries=0 etime=0
[26/Oct/2018:18:29:19 +0200] conn=66 op=3 SRCH base="(null)" scope=2
filter="(&(|(objectClass=inetorgperson))(|(mail=1d0b3c01-fd3f11e4-a213ad4c-cdc1d3d2)))",
invalid attribute request
[26/Oct/2018:18:29:19 +0200] conn=66 op=3 RESULT err=2 tag=101
nentries=0 etime=0

More information about the Pkg-freeipa-devel mailing list