[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP security woes.



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Mark
> Ferraretto

> defaultaccess none
> access to attr=userpassword by self write by * none
> access to dn="*,ou=private,dc=ferraretto,dc=com" by dnattr=owner write by
> self write by * none
>
> Each entry in the private space has an owner attribute which is set to the
> ou.
>
> This is all working fine with my front end but it's managed to break kldap
> which I was using to browse and debug my application.   If I connect as
> anyone, including the manager using kldap, I don't get anything.  Here's
> what the openldap log says:
>
> conn=207 fd=7 connection from localhost (127.0.0.1) accepted.
> conn=207 op=0 BIND dn="" method=128
> conn=207 op=0 RESULT err=0 tag=97 nentries=0
> conn=207 op=1 SRCH base="DC=FERRARETTO,DC=COM" scope=0
> filter="(objectclass=*)"
> conn=207 op=1 RESULT err=0 tag=101 nentries=0
> conn=207 op=2 BIND dn="CN=MANAGER,DC=FERRARETTO,DC=COM" method=128
> conn=207 op=2 RESULT err=0 tag=97 nentries=0
>
> It's not finding anything!  Why?!?
>
I'm not familiar with kldap. Why is it doing an anonymous bind first,
reading the dc=Ferarretto,dc=com entry, and then binding again as
cn=manager,dc=... ?

By the way, this is not the most useful log data you could obtain. Try
running your slapd in debug mode, with e.g. -d255 and look at what's logged
for your login sequence again. The specific message of interest is a line
like:
  do_bind: bound "CN=MANAGER,DC=FERRARETO,DC=COM" to "<something>"

If you don't see this in the debug log, then the Binds didn't really
succeed. This situation can happen if the Bind request is being sent without
any password, as you noticed in your Point #2 below.

> If I remove the defaultaccess none line then it does find things.  But I
> can't remove this because it will compromise security.  This is the case
> also for Netscape's address book.  It looks for an e-mail address when
> supplied a username and password but doesn't find them unless I remove the
> 'defaultaccess none' line
>
> ***** Issue Number 2 *****
> If I attempt to bind to the LDAP server without supplying a password, the
> bind succeeds but then I don't get to see anything in the search etc
> because I didn't supply a password.  If I bind without a password I want
> the bind to behave in the same way as if I had typed an incorrect
> password.  Can this be set up?

If you have the source code, you can patch back-ldbm/bind.c and remove the
code that gives special treatment to binds with null passwords.
In the 1.2.9 source code you should comment out the "if" block in bind.c
from lines 115 to 120, starting at "if ( cred->bv_len == 0) {"
and ending at the matching "} else". I tend to agree that binding with a DN
but no password should not be treated the same as binding anonymously
without a DN. I always remove this code on our private copies of the server.

> ***** Issue Number 3 *****
> There seems to be a dearth of security literature involving openLDAP in
> general.  I got Mark Wilcox's 'Implementing LDAP' book but it talks about
> Netscape Directory server which implements security differently.  Is there
> any security literature on openLDAP?

Don't know of anything besides the FAQ-O-Matic on www.openldap.org.
>
> Thanks for your help.
> Mark
>
> --
> Mark Ferraretto                 Phone:  +61 8 8396 2448
> Ferraretto IT Services            Fax:  +61 8 8396 7176
> 26 Observation Drive           Mobile:  +61 407 959 719
> Highbury SA 5089                Email:  mark@ferraretto.com

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc