[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP security woes.



Hello all,

I am in the process of writing a web-based contact manager application for
multiple users.  The back end is OpenLDAP 1.2.9 and the front end is a
browser (der!) using PerLDAP and apache.

The application is designed so that each user can store their own contacts
in a private area which is actually an OU ie:
ou=username, ou=private, o=...
and each entry in
cn=some name, ou=username, ou=private...

I have a few security issues:

***** Issue number 1 *****
Now, I want to set up OpenLDAP's security so that I can allow only the
owner of the ou access to their private space and no-one else (except the
manager).  To do this, I've got the following declarations in slapd.conf:

defaultaccess none
access to attr=userpassword by self write by * none
access to dn="*,ou=private,dc=ferraretto,dc=com" by dnattr=owner write by
self write by * none

Each entry in the private space has an owner attribute which is set to the
ou.

This is all working fine with my front end but it's managed to break kldap
which I was using to browse and debug my application.   If I connect as
anyone, including the manager using kldap, I don't get anything.  Here's
what the openldap log says:

conn=207 fd=7 connection from localhost (127.0.0.1) accepted.
conn=207 op=0 BIND dn="" method=128
conn=207 op=0 RESULT err=0 tag=97 nentries=0
conn=207 op=1 SRCH base="DC=FERRARETTO,DC=COM" scope=0
filter="(objectclass=*)"
conn=207 op=1 RESULT err=0 tag=101 nentries=0
conn=207 op=2 BIND dn="CN=MANAGER,DC=FERRARETTO,DC=COM" method=128
conn=207 op=2 RESULT err=0 tag=97 nentries=0

It's not finding anything!  Why?!?

If I remove the defaultaccess none line then it does find things.  But I
can't remove this because it will compromise security.  This is the case
also for Netscape's address book.  It looks for an e-mail address when
supplied a username and password but doesn't find them unless I remove the
'defaultaccess none' line

***** Issue Number 2 *****
If I attempt to bind to the LDAP server without supplying a password, the
bind succeeds but then I don't get to see anything in the search etc
because I didn't supply a password.  If I bind without a password I want
the bind to behave in the same way as if I had typed an incorrect
password.  Can this be set up?

***** Issue Number 3 *****
There seems to be a dearth of security literature involving openLDAP in
general.  I got Mark Wilcox's 'Implementing LDAP' book but it talks about
Netscape Directory server which implements security differently.  Is there
any security literature on openLDAP?

Thanks for your help.
Mark

--
Mark Ferraretto                 Phone:  +61 8 8396 2448
Ferraretto IT Services            Fax:  +61 8 8396 7176
26 Observation Drive           Mobile:  +61 407 959 719
Highbury SA 5089                Email:  mark@ferraretto.com