[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-{ldap,meta} && authentication



Quoting Turbo Fredriksson <turbo@bayour.com>:

> This morning I did it like this (it's just a workaround - I don't like it
> just 'for the sake of it' :). It's the closest thing I can think of that doesn't
> open up the whole database for an attacker. It CAN I guess, but I can't think
> of a _real_ way to exploit it yet...
> 
> Created a proxy user - 'uid=proxy,...' - which only have SEARCH access to the
> 'authentication attributes' (userPassword, krb5PrincipalName, mail and
> mailAlternateAddress) that are used one way or the other.

This seems to only work 'for a while' - I'm currently trying to figure out why.

My current guess is that it's caching to much/little/long...

I think I can successfully recreate the problem:

        1. Start master:slapd
        2. Start proxy:slapd -h ldapi://%2fvar%2frun%2fldapi
        3. proxy:ldapwhoami -H ldapi://%2fvar%2frun%2fldapi
           -> will give me the correct DN
        4. Stop master:slapd
        5. proxy:ldapwhoami -H ldapi://%2fvar%2frun%2fldapi
           -> will give me a cn=auth DN
        6. Start master:slapd
        7. proxy:ldapwhoami -H ldapi://%2fvar%2frun%2fldapi
           -> will give me a cn=auth DN

Point 7 is wrong! This is where caching takes place somehow.
If I don't restart proxy:slapd, it will NEVER give me the
correct DN!
Running master:slapd in debug mode (in point 6) shows that
it will never get an ACCEPT from slave:slapd in point 7...


To make sure it doesn't read the file cache (overlay), I
disabled that part, but still no go. There doesn't seem to
be any equivalence of the 'dncache-ttl' which is availible
to back-meta, so I don't know (without resorting to the code)
how long it caches...
-- 
Ft. Bragg [Hello to all my fans in domestic surveillance] Uzi Nazi
ammonium NORAD president Legion of Doom NSA Delta Force KGB Kennedy
security Rule Psix CIA
[See http://www.aclu.org/echelonwatch/index.html for more about this]