openldap-bugs August 2017

openldap-bugs@openldap.org

19 participants
52 discussions

Re: (ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)
by hyc＠symas.com 31 Aug '17

31 Aug '17

mikedotjackson(a)gmail.com wrote: > Full_Name: Mike Jackson > Version: 2.4.45 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (194.157.185.162) > > > Push replication via TLS fails to remote servers where the TCP/IP round-trip > time is greater than 100ms. When the return packets finally arrive, the > initiating server will close the connection with RST RST RST, which results in > TLS NEGOTIATION FAILURE. If TLS is not used, then the high-latency connection > will function normally and replication will occur. > > The 100ms time limit comes from here: > > servers/slapd/back-ldap/back-ldap.h: #define LDAP_BACK_RESULT_UTIMEOUT > (100000) > > Reference commit 112be0118e43c161d44de6e852cca9f517bb653d from 2005. > > HYC: "Ando ported timeout code from back-meta into back-ldap but he never ported > the config keyword that sets the timeout number of retries" > > In addition, the back_ldap man page is not up to date. > > > My temporary workaround was to set LDAP_BACK_RESULT_UTIMEOUT (900000) (900ms) > and recompile. Problem immediately went away, but this is not a correct approach > and the retry counter should be runtime configurable. back-ldap has been fixed to use the configured timeout for exops here. Fix is in git master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8720) back_ldap result timeout failure on high latency connections (TLS ONLY)
by mikedotjackson＠gmail.com 31 Aug '17

31 Aug '17

Full_Name: Mike Jackson Version: 2.4.45 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (194.157.185.162) Push replication via TLS fails to remote servers where the TCP/IP round-trip time is greater than 100ms. When the return packets finally arrive, the initiating server will close the connection with RST RST RST, which results in TLS NEGOTIATION FAILURE. If TLS is not used, then the high-latency connection will function normally and replication will occur. The 100ms time limit comes from here: servers/slapd/back-ldap/back-ldap.h: #define LDAP_BACK_RESULT_UTIMEOUT (100000) Reference commit 112be0118e43c161d44de6e852cca9f517bb653d from 2005. HYC: "Ando ported timeout code from back-meta into back-ldap but he never ported the config keyword that sets the timeout number of retries" In addition, the back_ldap man page is not up to date. My temporary workaround was to set LDAP_BACK_RESULT_UTIMEOUT (900000) (900ms) and recompile. Problem immediately went away, but this is not a correct approach and the retry counter should be runtime configurable.

1 0

Re: (ITS#6835) extend pwFailureTime timestamp to microsecond resolution to improve pwdMaxFailure enforcement
by quanah＠symas.com 30 Aug '17

30 Aug '17

Hi Brian, I just wanted to follow up and let you know this was taken care of in ITS#7161 and the fix was part of the OpenLDAP 2.4.40 release. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: (ITS#8719) slapd_crypt() become slow when many ldap cliant connections occur.
by yos-nishino＠ys.jp.nec.com 30 Aug '17

30 Aug '17

RGVhciBIb3dhcmQtc2FuLA0KDQoNClRoYW5rIHlvdSBzbyBtdWNoIGZvciB5b3VyIHByb21wdCBh ZHZpY2UuDQoNCkFzIHlvdSB0b2xkLCBJIG5lZWQgdG8gY2hlY2sgd2hldGhlciBvciBub3QgY3J5 cHRfcigpIGV4aXN0cy4NCkkgYW0gZ29pbmcgdG8gY29uc2lkZXIgaW5jbHVkaW5nIHRoZSBjaGVj ay4NCg0KV291bGQgaXQgYmUgcG9zc2libGUgdG8gbGV0IG1lIGtub3cgd2hldGhlciB0aGVyZSBh cmUgYW55IG90aGVyIGNvbmNlcm5zIA0KYWJvdXQgdGhlIGZpeCBpZiB3ZSBjYW4gdXNlIGNyeXB0 X3IoKT8NCg0KVGhlIGltcGxlbWVudGF0aW9uIHRoYXQgImJvdGggY2FsbG9jKCkgYW5kIGZyZWUo KSBvY2N1ciBldmVyeSB0aW1lIA0Kc2xhcGRfY3J5cHQoKSBpcyBjYWxsZWQiIGRvZXMgbm90IHNl ZW0gdG8gbG9vayBnb29kLg0KVGhlIGNhbGxlcnMgb2Ygc2xhcGRfY3J5cHQoKSBtaWdodCBiZSBh YmxlIHRvIGdldCB0aGUgbWVtb3J5IGZvciAic3RydWN0IA0KY3J5cHRfZGF0YSIgYmVmb3JlIHRo ZXkgY2FsbCBpdC4NCkhvd2V2ZXIsIEkgdGhpbmsgaXQgY2F1c2VzIHRoZSBjaGFuZ2VzIG9mIG90 aGVyIHNvdXJjZSBjb2Rlcy4NClNvLCBJIHRoaW5rIHRoZSBhZm9yZW1lbnRpb25lZCBpbXBsZW1l bnRhdGlvbiBpcyBhIHdvcmthcm91bmQgZm9yIHRoZSANCnNsb3dkb3duIGlmIHRoZSByaXNrIG9m IG1lbW9yeSBmcmFnbWVudGF0aW9uIGNhbiBiZSBhY2NlcHRhYmxlLg0KDQpPbiB0aGUgb3RoZXIg aGFuZHMsIEkgdGhpbmsgd2UgZG8gbm90IG5lZWQgdG8gY2FyZSBhYm91dCBzdHJjbXAoKSANCmJl Y2F1c2UgaXQgaXMgdGhyZWFkLXNhZmUuDQoNCg0KQmVzdCBSZWdhcmRzLA0KLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KT24gMjAxNy8wOC8zMCAxOToyNiwgSG93YXJk IENodSB3cm90ZToNCj4geW9zLW5pc2hpbm9AeXMuanAubmVjLmNvbSB3cm90ZToNCj4+IEZ1bGxf TmFtZTogWW9zaGlub3JpIE5pc2hpbm8NCj4+IFZlcnNpb246IDIuNC40NQ0KPj4gT1M6IENlbnRP UyA3DQo+PiBVUkw6IGZ0cDovL2Z0cC5vcGVubGRhcC5vcmcvaW5jb21pbmcvDQo+PiBTdWJtaXNz aW9uIGZyb206IChOVUxMKSAoMjEwLjE0My4zNS4yMCkNCj4+DQo+Pg0KPj4gRGVhciBzaXIsDQo+ Pg0KPj4gVGhlIGZ1bmN0aW9uIHNsYXBkX2NyeXB0KCkgaW4gc2VydmVycy9zbGFwZC9wYXNzd2Qu YyBzZWVtcyB0byBiZWNvbWUgDQo+PiBzbG93IHdoZW4NCj4+IG1hbnkgbGRhcCBjbGllbnQgY29u bmVjdGlvbnMgb2NjdXIuDQo+PiBJdCBzZWVtcyBpdCBpcyBiZWNhdXNlIHRoZSBmdW5jdGlvbiB1 c2VzIGNyeXB0KCkobm9uIHRocmVhZC1zYWZlIA0KPj4gZnVuY3Rpb24pIGFuZA0KPj4gcHRocmVh ZF9tdXRleF9sb2NrKCksIHdoaWNoIHJlc3VsdHMgaW4gdGhlIHNsb3dkb3duLg0KPj4gI0Jlc2lk ZXMsIHdlIG5lZWQgdG8gdXNlIHtDUllQVH0gaGFzaCBhcyB1c2VycycgcGFzc3dvcmQgaGFzaC4N Cj4+DQo+PiBTbywgSSBtb2RpZmllZCBzZXJ2ZXJzL3NsYXBkL3Bhc3N3ZC5jIGxpa2UgdGhlIGZv bGxvd2luZy4NCj4+IEFzIGEgcmVzdWx0LCBzbGFwZF9jcnlwdCgpIGJlY29tZXMgbXVjaCBmYXN0 ZXIgdW5kZXIgdGhlIHNhbWUgY29uZGl0aW9uLg0KPj4gV291bGQgeW91IGxldCBtZSBrbm93IHdo ZXRoZXIgb3Igbm90IHRoZSBmaXggaXMgYXBwcm9wcmlhdGUgZm9yIHNsYXBkPw0KPiANCj4gTm8g aXQgaXMgbm90IGFuIGFwcHJvcHJpYXRlIGZpeC4NCj4gDQo+IFlvdSBzaG91bGQgYWRkIGFuIGF1 dG9jb25mIHRlc3QgdG8gY2hlY2sgZm9yIHRoZSBleGlzdGVuY2Ugb2YgdGhlIA0KPiBjcnlwdF9y IGZ1bmN0aW9uLCBhbmQgdXNlIGFuICNpZmRlZiBoZXJlIGJhc2VkIG9uIHRoZSByZXN1bHQgb2Yg dGhhdCANCj4gdGVzdCwgc2luY2UgY3J5cHRfciBpcyBhIG5vbi1zdGFuZGFyZCBmdW5jdGlvbi4N Cj4+DQo+PiA9PT09PQ0KPj4gc3RhdGljIGludCBzbGFwZF9jcnlwdCggY29uc3QgY2hhciAqa2V5 LCBjb25zdCBjaGFyICpzYWx0LCBjaGFyICoqaGFzaCApDQo+PiB7DQo+PiDCoMKgwqDCoGNoYXIg KmNyOw0KPj4gwqDCoMKgwqBpbnQgcmM7DQo+PiDCoMKgwqDCoMKgwqDCoMKgIHN0cnVjdCBjcnlw dF9kYXRhICpkYXRhOw0KPj4NCj4+IMKgwqDCoMKgwqDCoMKgwqAgZGF0YSA9IChzdHJ1Y3QgY3J5 cHRfZGF0YSAqKWNhbGxvYygxLCBzaXplb2Yoc3RydWN0IA0KPj4gY3J5cHRfZGF0YSkpOw0KPj4g wqDCoMKgwqAvKiBsZGFwX3B2dF90aHJlYWRfbXV0ZXhfbG9jayggJnBhc3N3ZF9tdXRleCApOyAq Lw0KPj4NCj4+IMKgwqDCoMKgLyogY3IgPSBjcnlwdCgga2V5LCBzYWx0ICk7ICovDQo+PiDCoMKg wqDCoGNyID0gY3J5cHRfcigga2V5LCBzYWx0LCBkYXRhICk7DQo+PiDCoMKgwqDCoGlmICggY3Ig PT0gTlVMTCB8fCBjclswXSA9PSAnXDAnICkgew0KPj4gwqDCoMKgwqDCoMKgwqAgLyogc2FsdCBt dXN0IGhhdmUgYmVlbiBpbnZhbGlkICovDQo+PiDCoMKgwqDCoMKgwqDCoCByYyA9IExVVElMX1BB U1NXRF9FUlI7DQo+PiDCoMKgwqDCoH0gZWxzZSB7DQo+PiDCoMKgwqDCoMKgwqDCoCBpZiAoIGhh c2ggKSB7DQo+PiDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIGxkYXBfcHZ0X3RocmVhZF9tdXRleF9s b2NrKCAmcGFzc3dkX211dGV4ICk7DQo+PiDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgICpoYXNoID0g YmVyX3N0cmR1cCggY3IgKTsNCj4+IMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgbGRhcF9wdnRfdGhy ZWFkX211dGV4X3VubG9jayggJnBhc3N3ZF9tdXRleCApOw0KPj4gwqDCoMKgwqDCoMKgwqDCoMKg wqDCoCByYyA9IExVVElMX1BBU1NXRF9PSzsNCj4+DQo+PiDCoMKgwqDCoMKgwqDCoCB9IGVsc2Ug ew0KPj4gwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCByYyA9IHN0cmNtcCggc2FsdCwgY3IgKSA/IExV VElMX1BBU1NXRF9FUlIgOiBMVVRJTF9QQVNTV0RfT0s7DQo+PiDCoMKgwqDCoMKgwqDCoCB9DQo+ PiDCoMKgwqDCoH0NCj4+DQo+PiDCoMKgwqDCoMKgwqDCoMKgIGZyZWUoZGF0YSk7DQo+PiDCoMKg wqDCoC8qIGxkYXBfcHZ0X3RocmVhZF9tdXRleF91bmxvY2soICZwYXNzd2RfbXV0ZXggKTsgKi8N Cj4+IMKgwqDCoMKgcmV0dXJuIHJjOw0KPj4gfQ0KPj4NCj4+ID09PT0NCj4+DQo+PiAjICIjZGVm aW5lIF9fVVNFX0dOVSIgaXMgYWxzbyByZXF1aXJlZCB0byBidWlsZCBzbGFwZC4NCj4+DQo+Pg0K Pj4gQmVzdCBSZWdhcmRzLA0KPj4NCj4+DQo+Pg0KPiANCj4gDQoNCi0tIA0KKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqDQpZb3NoaW5vcmkgTmlzaGlubw0K DQpORUMgU29sdXRpb24gSW5ub3ZhdG9ycywgTHRkLg0KMS0xOC03IFNoaW5raWJhLCBLb3RvLWt1 LCBUb2t5bywgMTM2LTg2MjcgSmFwYW4NCkUtTUFJTDogeW9zLW5pc2hpbm9AeXMuanAubmVjLmNv bQ0KKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq

1 0

Re: (ITS#8719) slapd_crypt() become slow when many ldap cliant connections occur.
by hyc＠symas.com 30 Aug '17

30 Aug '17

yos-nishino(a)ys.jp.nec.com wrote: > Full_Name: Yoshinori Nishino > Version: 2.4.45 > OS: CentOS 7 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (210.143.35.20) > > > Dear sir, > > The function slapd_crypt() in servers/slapd/passwd.c seems to become slow when > many ldap client connections occur. > It seems it is because the function uses crypt()(non thread-safe function) and > pthread_mutex_lock(), which results in the slowdown. > #Besides, we need to use {CRYPT} hash as users' password hash. > > So, I modified servers/slapd/passwd.c like the following. > As a result, slapd_crypt() becomes much faster under the same condition. > Would you let me know whether or not the fix is appropriate for slapd? No it is not an appropriate fix. You should add an autoconf test to check for the existence of the crypt_r function, and use an #ifdef here based on the result of that test, since crypt_r is a non-standard function. > > ===== > static int slapd_crypt( const char *key, const char *salt, char **hash ) > { > char *cr; > int rc; > struct crypt_data *data; > > data = (struct crypt_data *)calloc(1, sizeof(struct crypt_data)); > /* ldap_pvt_thread_mutex_lock( &passwd_mutex ); */ > > /* cr = crypt( key, salt ); */ > cr = crypt_r( key, salt, data ); > if ( cr == NULL || cr[0] == '\0' ) { > /* salt must have been invalid */ > rc = LUTIL_PASSWD_ERR; > } else { > if ( hash ) { > ldap_pvt_thread_mutex_lock( &passwd_mutex ); > *hash = ber_strdup( cr ); > ldap_pvt_thread_mutex_unlock( &passwd_mutex ); > rc = LUTIL_PASSWD_OK; > > } else { > rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; > } > } > > free(data); > /* ldap_pvt_thread_mutex_unlock( &passwd_mutex ); */ > return rc; > } > > ==== > > # "#define __USE_GNU" is also required to build slapd. > > > Best Regards, > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8719) slapd_crypt() become slow when many ldap cliant connections occur.
by yos-nishino＠ys.jp.nec.com 30 Aug '17

30 Aug '17

Full_Name: Yoshinori Nishino Version: 2.4.45 OS: CentOS 7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (210.143.35.20) Dear sir, The function slapd_crypt() in servers/slapd/passwd.c seems to become slow when many ldap client connections occur. It seems it is because the function uses crypt()(non thread-safe function) and pthread_mutex_lock(), which results in the slowdown. #Besides, we need to use {CRYPT} hash as users' password hash. So, I modified servers/slapd/passwd.c like the following. As a result, slapd_crypt() becomes much faster under the same condition. Would you let me know whether or not the fix is appropriate for slapd? ===== static int slapd_crypt( const char *key, const char *salt, char **hash ) { char *cr; int rc; struct crypt_data *data; data = (struct crypt_data *)calloc(1, sizeof(struct crypt_data)); /* ldap_pvt_thread_mutex_lock( &passwd_mutex ); */ /* cr = crypt( key, salt ); */ cr = crypt_r( key, salt, data ); if ( cr == NULL || cr[0] == '\0' ) { /* salt must have been invalid */ rc = LUTIL_PASSWD_ERR; } else { if ( hash ) { ldap_pvt_thread_mutex_lock( &passwd_mutex ); *hash = ber_strdup( cr ); ldap_pvt_thread_mutex_unlock( &passwd_mutex ); rc = LUTIL_PASSWD_OK; } else { rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; } } free(data); /* ldap_pvt_thread_mutex_unlock( &passwd_mutex ); */ return rc; } ==== # "#define __USE_GNU" is also required to build slapd. Best Regards,

1 0

Re: (ITS#8485) [PATCH] Adding support for encrypted server private keys
by ahnolds＠gmail.com 28 Aug '17

28 Aug '17

--94eb2c0477b011a5720557daad8c Content-Type: text/plain; charset="UTF-8" I take it that this enhancement on the client side API isn't something you think would be useful. If that's the case, feel free to close this ticket, and best of luck with your ongoing development! On Wed, Feb 22, 2017 at 8:49 PM, Alec C <ahnolds(a)gmail.com> wrote: > I completely agree that this doesn't add any security when running slapd. > However, when I originally wrote this patch, I was more targeting API > usage, and in particular, client-side API usage. My goal was to allow a > user to present an encrypted key (stored on disk) and a password (only held > in memory), and use these to query a secure LDAP server. The issue of how > the password got into memory is certainly beyond the scope of OpenLDAP in > this case, but it certainly could be done securely in a way that wouldn't > leave it exposed to a third-party with file-system access. > > For example (in the use case that motivated me originally), an sysadmin > could input the password through an online form, submit said form to a > Python webserver over HTTPS, the Python code could pass the password to > OpenLDAP through a Python interface like python-ldap ( > https://www.python-ldap.org/), and then use the LDAPS or STARTTLS > connection to talk securely to some LDAP server elsewhere. All without an > unencrypted keyfile or a password ever existing on disk, hence the added > security. > > If you feel that supporting encrypted keyfiles in slapd is a bad design > choice, I'm willing to rework the patch to drop that part and only keep the > API-level support. Personally, I would argue that it doesn't hurt to > support the feature, although perhaps my documentation changes could do a > better job emphasizing the inherent security limitations. Let me know what > you think (or if this discussion should take place on a list, let me know > which/where). > > > On Wed, Feb 22, 2017 at 1:11 PM, Howard Chu <hyc(a)symas.com> wrote: > >> ahnolds(a)gmail.com wrote: >> >>> Full_Name: Alec Cooper >>> Version: HEAD of master branch >>> OS: Ubuntu Linux 16.04 >>> URL: ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch >>> Submission from: (NULL) (73.134.243.211) >>> >>> >>> Adding support for encrypted server private keys. >>> >> >> Thank you for your submission. I must compliment you on providing such a >> comprehensive and well-written contribution. Unfortunately the feature >> itself is clearly not useful. Perhaps you should have raised this topic on >> the openldap-devel list for discussion before spending your time writing it. >> >> All your feature does is embed the encryption key in the filesystem, so >> an encrypted private key is still no more secure than an unencrypted one. >> It still just depends on setting proper file access permissions, and the >> current documentation already makes that point. >> >> Indeed, all it does is give the false illusion of enhancing security, and >> followups like balmerpeak92(a)gmail.com's shows that people will easily >> fall for such illusions. >> >> I regret having to reject such a well written contribution, but we cannot >> in good conscience accept a security feature that doesn't actually improve >> security. >> >>> >>> The meat of this patch is changes to tls2.c, tls_g.c, tls_m.c, and >>> tls_o.c to >>> send a password to the underlying TLS library. >>> >>> Changes to ldap.h, init.c and ldap-int.h expose the new >>> LDAP_OPT_X_TLS_KEYPASSWORD in the main API. >>> >>> Changes in the contrib/ldapc++ directory expose the corresponding >>> TlsOptions::KEYPASSWORD option in the C++ API. >>> >>> Changes in the servers directory expose equivalent options for servers as >>> configuration file entries or environment variables. >>> >>> Changes in the doc directory add documentation about the new options and >>> remove >>> statements that indicated that encrypted keyfiles are not supported. >>> >>> New files in the test directory are for testing TLS connections, both in >>> general >>> and with encrypted keyfiles. Tests pass for OpenSSL and GnuTLS using PEM >>> formatted certs and keys, and for MozNSS using cert/key databases. The >>> new unit >>> test (test065-tls) has been written to detect when using NSS, and use the >>> cert/key databases in this case. I have been unable to get a working >>> version of >>> libnsspem, so I cannot test MozNSS with (or without) encrypted keyfiles - >>> testing for this case would be welcome! >>> >>> Notice of origin: The attached patch file is derived from OpenLDAP >>> Software. All >>> of the modifications to OpenLDAP Software represented in the following >>> patch >>> were developed by Alec Cooper ahnolds(a)gmail.com. I have not assigned >>> rights >>> and/or interest in this work to any party. >>> Rights statement: I, Alec Cooper, hereby place the following >>> modifications to >>> OpenLDAP Software (and only these modifications) into the public domain. >>> Hence, >>> these modifications may be freely used and/or redistributed for any >>> purpose with >>> or without attribution and/or other notice. >>> >>> The patch has been uploaded to the OpenLDAP FTP server and can be found >>> at >>> ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch >>> >>> >>> >> >> -- >> -- Howard Chu >> CTO, Symas Corp. http://www.symas.com >> Director, Highland Sun http://highlandsun.com/hyc/ >> Chief Architect, OpenLDAP http://www.openldap.org/project/ >> > > --94eb2c0477b011a5720557daad8c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">I take it that this enhancement on the client side API isn= 't something you think would be useful. If that's the case, feel fr= ee to close this ticket, and best of luck with your ongoing development!</d= iv><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed, Feb 22= , 2017 at 8:49 PM, Alec C <span dir=3D"ltr"><<a href=3D"mailto:ahnolds@g= mail.com" target=3D"_blank">ahnolds(a)gmail.com</a>></span> wrote:<br><blo= ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #c= cc solid;padding-left:1ex"><div dir=3D"ltr">I completely agree that this do= esn't add any security when running slapd. However, when I originally w= rote this patch, I was more targeting API usage, and in particular, client-= side API usage. My goal was to allow a user to present an encrypted key (st= ored on disk) and a password (only held in memory), and use these to query = a secure LDAP server. The issue of how the password got into memory is cert= ainly beyond the scope of OpenLDAP in this case, but it certainly could be = done securely in a way that wouldn't leave it exposed to a third-party = with file-system access.<div><br></div><div>For example (in the use case th= at motivated me originally), an sysadmin could input the password through a= n online form, submit said form to a Python webserver over HTTPS, the Pytho= n code could pass the password to OpenLDAP through a Python interface like = python-ldap (<a href=3D"https://www.python-ldap.org/" target=3D"_blank">htt= ps://www.python-ldap.org/</a>)<wbr>, and then use the LDAPS or STARTTLS con= nection to talk securely to some LDAP server elsewhere. All without an unen= crypted keyfile or a password ever existing on disk, hence the added securi= ty.<div><br></div><div>If you feel that supporting encrypted keyfiles in sl= apd is a bad design choice, I'm willing to rework the patch to drop tha= t part and only keep the API-level support. Personally, I would argue that = it doesn't hurt to support the feature, although perhaps my documentati= on changes could do a better job emphasizing the inherent security limitati= ons. Let me know what you think (or if this discussion should take place on= a list, let me know which/where).=C2=A0</div></div><div><br></div></div><d= iv class=3D"HOEnZb"><div class=3D"h5"><div class=3D"gmail_extra"><br><div c= lass=3D"gmail_quote">On Wed, Feb 22, 2017 at 1:11 PM, Howard Chu <span dir= =3D"ltr"><<a href=3D"mailto:hyc@symas.com" target=3D"_blank">hyc(a)symas.c= om</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"marg= in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><a href=3D"mailt= o:ahnolds@gmail.com" target=3D"_blank">ahnolds(a)gmail.com</a> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"> Full_Name: Alec Cooper<br> Version: HEAD of master branch<br> OS: Ubuntu Linux 16.04<br> URL: <a href=3D"ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch" r= el=3D"noreferrer" target=3D"_blank">ftp://ftp.openldap.org/incomin<wbr>g/Al= ec-Cooper-160827.patch</a><br> Submission from: (NULL) (73.134.243.211)<br> <br> <br> Adding support for encrypted server private keys.<br> </blockquote> <br> Thank you for your submission. I must compliment you on providing such a co= mprehensive and well-written contribution. Unfortunately the feature itself= is clearly not useful. Perhaps you should have raised this topic on the op= enldap-devel list for discussion before spending your time writing it.<br> <br> All your feature does is embed the encryption key in the filesystem, so an = encrypted private key is still no more secure than an unencrypted one. It s= till just depends on setting proper file access permissions, and the curren= t documentation already makes that point.<br> <br> Indeed, all it does is give the false illusion of enhancing security, and f= ollowups like <a href=3D"mailto:balmerpeak92@gmail.com" target=3D"_blank">b= almerpeak92(a)gmail.com</a>'s shows that people will easily fall for such= illusions.<br> <br> I regret having to reject such a well written contribution, but we cannot i= n good conscience accept a security feature that doesn't actually impro= ve security.<br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"> <br> The meat of this patch is changes to tls2.c, tls_g.c, tls_m.c, and tls_o.c = to<br> send a password to the underlying TLS library.<br> <br> Changes to ldap.h, init.c and ldap-int.h expose the new<br> LDAP_OPT_X_TLS_KEYPASSWORD in the main API.<br> <br> Changes in the contrib/ldapc++ directory expose the corresponding<br> TlsOptions::KEYPASSWORD option in the C++ API.<br> <br> Changes in the servers directory expose equivalent options for servers as<b= r> configuration file entries or environment variables.<br> <br> Changes in the doc directory add documentation about the new options and re= move<br> statements that indicated that encrypted keyfiles are not supported.<br> <br> New files in the test directory are for testing TLS connections, both in ge= neral<br> and with encrypted keyfiles. Tests pass for OpenSSL and GnuTLS using PEM<br= > formatted certs and keys, and for MozNSS using cert/key databases. The new = unit<br> test (test065-tls) has been written to detect when using NSS, and use the<b= r> cert/key databases in this case. I have been unable to get a working versio= n of<br> libnsspem, so I cannot test MozNSS with (or without) encrypted keyfiles -<b= r> testing for this case would be welcome!<br> <br> Notice of origin: The attached patch file is derived from OpenLDAP Software= . All<br> of the modifications to OpenLDAP Software represented in the following patc= h<br> were developed by Alec Cooper <a href=3D"mailto:ahnolds@gmail.com" target= =3D"_blank">ahnolds(a)gmail.com</a>. I have not assigned rights<br> and/or interest in this work to any party.<br> Rights statement: I, Alec Cooper, hereby place the following modifications = to<br> OpenLDAP Software (and only these modifications) into the public domain. He= nce,<br> these modifications may be freely used and/or redistributed for any purpose= with<br> or without attribution and/or other notice.<br> <br> The patch has been uploaded to the OpenLDAP FTP server and can be found at<= br> <a href=3D"ftp://ftp.openldap.org/incoming/Alec-Cooper-160827.patch" rel=3D= "noreferrer" target=3D"_blank">ftp://ftp.openldap.org/incomin<wbr>g/Alec-Co= oper-160827.patch</a><br> <br> <br><span class=3D"m_-1938021547848690298HOEnZb"><font color=3D"#888888"> </font></span></blockquote><span class=3D"m_-1938021547848690298HOEnZb"><fo= nt color=3D"#888888"> <br> <br> -- <br> =C2=A0 -- Howard Chu<br> =C2=A0 CTO, Symas Corp.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"= http://www.symas.com" rel=3D"noreferrer" target=3D"_blank">http://www.symas= .com</a><br> =C2=A0 Director, Highland Sun=C2=A0 =C2=A0 =C2=A0<a href=3D"http://highland= sun.com/hyc/" rel=3D"noreferrer" target=3D"_blank">http://highlandsun.com/h= yc/</a><br> =C2=A0 Chief Architect, OpenLDAP=C2=A0 <a href=3D"http://www.openldap.org/p= roject/" rel=3D"noreferrer" target=3D"_blank">http://www.openldap.org/proje= c<wbr>t/</a><br> </font></span></blockquote></div><br></div> </div></div></blockquote></div><br></div> --94eb2c0477b011a5720557daad8c--

1 0

Re: (ITS#8701) account usability control for password less logins
by benjamin.chang＠oracle.com 28 Aug '17

28 Aug '17

This is a multi-part message in MIME format. --------------6CCE37E19DCAC5B8EF15AF2F Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Please disregard the previous workaround proposal, it was incorrect. The corrected workaround proposal: The idea is to determine the account/password state on the client side (since there's no easy way to get the server to provide the state without using the user's password). This was accomplished in a prototype by retrieving the /pwdPolicySubentry/, the policy setting, other operational attributes such as /pwdChangedTime/, /pwdAccountLockedTime/, /pwdFailureTime/, and /pwdGraceUseTime/. These were used to determine the account/password state. Is this reasonable and safe to do? On 08/02/2017 07:31 AM, Ben Chang wrote: > Question about a proposed workaround: > > Would it be possible to use slapo-ppolicy to set the pwdPolicySubentry > attribute for each user to provide the desired > 1.3.6.1.4.1.42.2.27.9.5.8 control response (see > http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control), > i.e., can pwdPolicySubentry be used supply the sub-entry and related > operational attributes needed to validate users for password-less logins? > --------------6CCE37E19DCAC5B8EF15AF2F Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body text="#000000" bgcolor="#FFFFFF"> <p>Please disregard the previous workaround proposal, it was incorrect. The corrected workaround proposal:</p> <p> The idea is to determine the account/password state on the client side (since there's no easy way to get the server to provide the state without using the user's password). This was accomplished in a prototype by retrieving the <i>pwdPolicySubentry</i>, the policy setting, other operational attributes such as <i>pwdChangedTime</i>, <i>pwdAccountLockedTime</i>, <i>pwdFailureTime</i>, and <i>pwdGraceUseTime</i>. These were used to determine the account/password state.</p> <p>Is this reasonable and safe to do? </p> <br> <div class="moz-cite-prefix">On 08/02/2017 07:31 AM, Ben Chang wrote:<br> </div> <blockquote type="cite" cite="mid:52bb394d-41f9-746e-28d9-200370b94fbe@oracle.com">Question about a proposed workaround: <br> <br> Would it be possible to use slapo-ppolicy to set the pwdPolicySubentry attribute for each user to provide the desired 1.3.6.1.4.1.42.2.27.9.5.8 control response (see <a class="moz-txt-link-freetext" href="http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control">http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control</a>), i.e., can pwdPolicySubentry be used supply the sub-entry and related operational attributes needed to validate users for password-less logins? <br> <br> </blockquote> <br> </body> </html> --------------6CCE37E19DCAC5B8EF15AF2F--

1 0

Re: (ITS#8714) RFE: Sendout EXTENDED operation message in back-sock
by hyc＠symas.com 27 Aug '17

27 Aug '17

Michael Str=C3=B6der wrote: > Howard Chu wrote: >> michael(a)stroeder.com wrote: >>> + /* write out the request to the extended process */ >>> + fprintf( fp, "EXTENDED\n" ); >>> + fprintf( fp, "msgid: %ld\n", (long) op->o_msgid ); >>> + sock_print_conn( fp, op->o_conn, si ); >>> + sock_print_suffixes( fp, op->o_bd ); >>> + fprintf( fp, "oid: %s\n", op->ore_reqoid.bv_val ); >>> + if (op->ore_reqdata) { >>> + fprintf( fp, "valuelen: %lu\n", op->ore_reqdata->bv_len ); >>> + fprintf( fp, "value: %s\n", op->ore_reqdata->bv_val ); >>> + } >>> + fprintf( fp, "\n" ); >> >> This isn't safe. The reqdata is binary, not a nul-terminated C string.= I suppose you >> could hex or base64-encode it instead. >=20 > Frankly I don't understand. >=20 > I considered using base64 but I wanted to stick to what's already done = in back-sock. >=20 > See openldap/servers/slapd/back-sock/bind.c for the password value whic= h is also an > arbitrary OctetString: >=20 > /* write out the request to the bind process */ > [..] > fprintf( fp, "credlen: %lu\n", op->oq_bind.rb_cred.bv_len ); > fprintf( fp, "cred: %s\n", op->oq_bind.rb_cred.bv_val ); /* XXX */ > fprintf( fp, "\n" ); >=20 > The above should also work with null-bytes, shoudn't it? No, it's a bug. Probably a benign bug because it's difficult for users to= =20 create passwords with embedded NULs. --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#8714) RFE: Sendout EXTENDED operation message in back-sock
by michael＠stroeder.com 27 Aug '17

27 Aug '17

Howard Chu wrote: > michael(a)stroeder.com wrote: >> + /* write out the request to the extended process */ >> + fprintf( fp, "EXTENDED\n" ); >> + fprintf( fp, "msgid: %ld\n", (long) op->o_msgid ); >> + sock_print_conn( fp, op->o_conn, si ); >> + sock_print_suffixes( fp, op->o_bd ); >> + fprintf( fp, "oid: %s\n", op->ore_reqoid.bv_val ); >> + if (op->ore_reqdata) { >> + fprintf( fp, "valuelen: %lu\n", op->ore_reqdata->bv_len ); >> + fprintf( fp, "value: %s\n", op->ore_reqdata->bv_val ); >> + } >> + fprintf( fp, "\n" ); > > This isn't safe. The reqdata is binary, not a nul-terminated C string. I suppose you > could hex or base64-encode it instead. Frankly I don't understand. I considered using base64 but I wanted to stick to what's already done in back-sock. See openldap/servers/slapd/back-sock/bind.c for the password value which is also an arbitrary OctetString: /* write out the request to the bind process */ [..] fprintf( fp, "credlen: %lu\n", op->oq_bind.rb_cred.bv_len ); fprintf( fp, "cred: %s\n", op->oq_bind.rb_cred.bv_val ); /* XXX */ fprintf( fp, "\n" ); The above should also work with null-bytes, shoudn't it? Ciao, Michael.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs August 2017