openldap-bugs August 2009

openldap-bugs@openldap.org

35 participants
225 discussions

Re: (ITS#6250) Password modify ext.op. - automagically add simpleSecurityObject
by michael＠stroeder.com 11 Aug '09

11 Aug '09

Howard Chu wrote: > Michael Ströder wrote: >> Let's assume the policy for a deployment is that password changes MUST be >> applied by using password modify ext. op. (e.g. because smbk5pwd is >> used or >> similar) and you want to use object class 'account' for user entries. How >> could the attribute 'userPassword' be added to the user entry then? >> It's kind >> of a dead-lock situation. > > Then you made a mistake in your data design. Nope. Since with a modify request I can achieve the goal by adding object class 'simpleSecurityObject'. IMO password modify ext.op. should result in userPassword being added. One could view it as a hen-and-egg problem because 'simpleSecurityObject' is mandating 'userPassword'. > You should have chosen an > objectclass (or set of objectclasses) that supports authentication from > the outset. To me this is analogous to the usual prohibition against > changing an object's structural class - you cannot change a car into a > pencil. You cannot change a non-user into a user. Please don't compare apples with pies. 'account' is STRUCTURAL so the user entry represents already a user. 'simpleSecurityObject' is AUXILIARY (not STRUCTURAL) which adds another attribute. The STRUCTURAL object class of the entry is not altered, so no magic change from a car into a pencil here. Ciao, Michael.

1 0

Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection
by michael＠stroeder.com 11 Aug '09

11 Aug '09

hyc(a)symas.com wrote: > Michael Ströder wrote: >> hyc(a)symas.com wrote: >>> michael(a)stroeder.com wrote: >>>> Full_Name: Michael Ströder >>>> Version: HEAD >>>> OS: >>>> URL: >>>> Submission from: (NULL) (84.163.50.194) >>>> >>>> I'd like to request that a Password Modify ext. op. request should succeed on a >>>> LDAP connection as anonymous if the LDAP client provides the correct old >>>> password. >>>> >>>> E.g. OpenDS implements it like this and it makes sense to me regarding a user >>>> setting a new password in case of an expired password. >>> Adding this feature would open up the pwdModify exop as a mechanism for >>> password guessing attacks. >> There could be still the bad password counter in effect just like when >> processing bind requests. > > But there is no corresponding lockout action to take when a maxfailure limit > is reached. I.e., it is impossible to lockout "anonymous". You thus open a > security hole that cannot be closed. The password modify ext.op. request contains the DN (or username) of the entry to which the old password belongs. Since the old password is really checked you could apply the lockout to the entry for which the password is going to be changed. (It fails with Server is "unwilling to perform: unwilling to verify old password." even if the user is bound on that connection.) Ciao, Michael.

1 0

Re: (ITS#6250) Password modify ext.op. - automagically add simpleSecurityObject
by hyc＠symas.com 11 Aug '09

11 Aug '09

Michael Ströder wrote: > hyc(a)symas.com wrote: >> michael(a)stroeder.com wrote: >>> Full_Name: Michael Ströder >>> Version: HEAD >>> OS: openSUSE Linux 11.1 >>> URL: >>> Submission from: (NULL) (84.163.50.194) >>> >>> >>> If one trys to set the userPassword with a Password Modify ext. op. request but >>> the object classes of the entry does not allow userPassword slapd could add >>> automagically AUXILIARY object class simpleSecurityObject to the entry. >>> >>> (I'm doing this in web2ldap since years when changing the userPassword with a >>> normal modify operation which client-side hashing.) >> >> This request sounds like a mistake to me. The DSA is supposed to enforce the >> data model, not automagically enable you to bypass the model. What clients do >> is a completely separate matter... > > Let's assume the policy for a deployment is that password changes MUST be > applied by using password modify ext. op. (e.g. because smbk5pwd is used or > similar) and you want to use object class 'account' for user entries. How > could the attribute 'userPassword' be added to the user entry then? It's kind > of a dead-lock situation. Then you made a mistake in your data design. You should have chosen an objectclass (or set of objectclasses) that supports authentication from the outset. To me this is analogous to the usual prohibition against changing an object's structural class - you cannot change a car into a pencil. You cannot change a non-user into a user. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection
by hyc＠symas.com 11 Aug '09

11 Aug '09

Michael Ströder wrote: > hyc(a)symas.com wrote: >> michael(a)stroeder.com wrote: >>> Full_Name: Michael Ströder >>> Version: HEAD >>> OS: >>> URL: >>> Submission from: (NULL) (84.163.50.194) >>> >>> I'd like to request that a Password Modify ext. op. request should succeed on a >>> LDAP connection as anonymous if the LDAP client provides the correct old >>> password. >>> >>> E.g. OpenDS implements it like this and it makes sense to me regarding a user >>> setting a new password in case of an expired password. >> >> Adding this feature would open up the pwdModify exop as a mechanism for >> password guessing attacks. > > There could be still the bad password counter in effect just like when > processing bind requests. But there is no corresponding lockout action to take when a maxfailure limit is reached. I.e., it is impossible to lockout "anonymous". You thus open a security hole that cannot be closed. Again - No. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6250) Password modify ext.op. - automagically add simpleSecurityObject
by michael＠stroeder.com 11 Aug '09

11 Aug '09

hyc(a)symas.com wrote: > michael(a)stroeder.com wrote: >> Full_Name: Michael Ströder >> Version: HEAD >> OS: openSUSE Linux 11.1 >> URL: >> Submission from: (NULL) (84.163.50.194) >> >> >> If one trys to set the userPassword with a Password Modify ext. op. request but >> the object classes of the entry does not allow userPassword slapd could add >> automagically AUXILIARY object class simpleSecurityObject to the entry. >> >> (I'm doing this in web2ldap since years when changing the userPassword with a >> normal modify operation which client-side hashing.) > > This request sounds like a mistake to me. The DSA is supposed to enforce the > data model, not automagically enable you to bypass the model. What clients do > is a completely separate matter... Let's assume the policy for a deployment is that password changes MUST be applied by using password modify ext. op. (e.g. because smbk5pwd is used or similar) and you want to use object class 'account' for user entries. How could the attribute 'userPassword' be added to the user entry then? It's kind of a dead-lock situation. Ciao, Michael.

1 0

Re: (ITS#6250) Password modify ext.op. - automagically add simpleSecurityObject
by h.b.furuseth＠usit.uio.no 11 Aug '09

11 Aug '09

Sorry, sent too early. > It makes sense if you add a config parameter with an LDAP URL or > something describing entries which can be so modified (subject to > ordinary access controls). I imagine one would typically filter for objectClass, e.g. ldap:///???(objectClass=person)

1 0

Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection
by michael＠stroeder.com 11 Aug '09

11 Aug '09

hyc(a)symas.com wrote: > michael(a)stroeder.com wrote: >> Full_Name: Michael Ströder >> Version: HEAD >> OS: >> URL: >> Submission from: (NULL) (84.163.50.194) >> >> I'd like to request that a Password Modify ext. op. request should succeed on a >> LDAP connection as anonymous if the LDAP client provides the correct old >> password. >> >> E.g. OpenDS implements it like this and it makes sense to me regarding a user >> setting a new password in case of an expired password. > > Adding this feature would open up the pwdModify exop as a mechanism for > password guessing attacks. There could be still the bad password counter in effect just like when processing bind requests. Ciao, Michael.

1 0

Re: (ITS#6250) Password modify ext.op. - automagically add simpleSecurityObject
by h.b.furuseth＠usit.uio.no 11 Aug '09

11 Aug '09

hyc(a)symas.com writes: > This request sounds like a mistake to me. The DSA is supposed to > enforce the data model, not automagically enable you to bypass the > model. What clients do is a completely separate matter... It makes sense if you add a config parameter with an LDAP URL or something describing entries which can be so modified (subject to ordinary access controls). -- Hallvard

1 0

Re: (ITS#6250) Password modify ext.op. - automagically add simpleSecurityObject
by hyc＠symas.com 11 Aug '09

11 Aug '09

michael(a)stroeder.com wrote: > Full_Name: Michael Ströder > Version: HEAD > OS: openSUSE Linux 11.1 > URL: > Submission from: (NULL) (84.163.50.194) > > > If one trys to set the userPassword with a Password Modify ext. op. request but > the object classes of the entry does not allow userPassword slapd could add > automagically AUXILIARY object class simpleSecurityObject to the entry. > > (I'm doing this in web2ldap since years when changing the userPassword with a > normal modify operation which client-side hashing.) This request sounds like a mistake to me. The DSA is supposed to enforce the data model, not automagically enable you to bypass the model. What clients do is a completely separate matter... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection
by hyc＠symas.com 11 Aug '09

11 Aug '09

michael(a)stroeder.com wrote: > Full_Name: Michael Ströder > Version: HEAD > OS: > URL: > Submission from: (NULL) (84.163.50.194) > > > I'd like to request that a Password Modify ext. op. request should succeed on a > LDAP connection as anonymous if the LDAP client provides the correct old > password. > > E.g. OpenDS implements it like this and it makes sense to me regarding a user > setting a new password in case of an expired password. Adding this feature would open up the pwdModify exop as a mechanism for password guessing attacks. In fact, in the next draft of the ppolicy spec I was intending to explicitly forbid this type of usage, to prevent such attacks. http://www.openldap.org/lists/ietf-ldapext/200908/msg00006.html The ppolicy spec provides for grace logins after a password is expired, to give users a few last opportunities to change their password. If they don't take advantage of those grace logins, then they are out of luck and must get help from a password administrator. I'm going to reject this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

← Newer
1
...
13
14
15
16
17
18
19
...
23
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs August 2009