[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxy auth and userpassword access

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: proxy auth and userpassword access
From: Howard Chu <hyc@symas.com>
Date: Wed, 22 Aug 2007 01:38:38 -0700
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-software@openldap.org
In-reply-to: <46CBDE65.5040400@sys-net.it>
References: <877inorspw.fsf@magenta.l4b.de> <46CBDE65.5040400@sys-net.it>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a8pre) Gecko/2007081000 SeaMonkey/2.0a1pre

Pierangelo Masarati wrote:

Dieter Kluenter wrote:

when using proxy authentication with strong bind, the attribute
userPassword has to have read access, that is, auth access is not
sufficient Is there any particular reason for this potential security
hole?


Well, if you want to use strong auth at the proxy side, the proxy needs
to be able to check the password itself, and this requires the password.

OpenLDAP's proxy is not a SASL proxy, neither my (partial) knowledge of
SASL allows me to state a SASL proxy is at all possible for all mechs.
If it is, adding SASL proxying capabilities to OpenLDAP proxy backends
would be an interesting extension.

Given that the worthwhile SASL mechanisms are designed to resist man-in-the-middle (MITM) attacks and a proxy is essentially a MITM, I'd say it's not going to happen. The proxy needs to have as much knowledge as the main server. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

References:
- proxy auth and userpassword access
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: proxy auth and userpassword access
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: High availability
Next by Date: 'simpleSecurityObject' requires attribute 'userPassword'
Index(es):
- Chronological
- Thread