Hi, when using proxy authentication with strong bind, the attribute userPassword has to have read access, that is, auth access is not sufficient Is there any particular reason for this potential security hole?
slapd[7028]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci,c=de", attr "userPassword" requested slapd[7028]: => acl_mask: to value by "cn=admanager,o=avci,c=de", (=0) slapd[7028]: <= check a_dn_pat: self slapd[7028]: <= check a_dn_pat: * slapd[7028]: <= acl_mask: [2] applying auth(=xd) (stop) slapd[7028]: <= acl_mask: [2] mask: auth(=xd) slapd[7028]: => slap_access_allowed: read access denied by auth(=xd) slapd[7028]: => access_allowed: no more rules slapd[7028]: send_search_entry: conn 3 access to attribute userPassword, value #0 not allowed
-Dieter
Dieter Kluenter wrote:
when using proxy authentication with strong bind, the attribute userPassword has to have read access, that is, auth access is not sufficient Is there any particular reason for this potential security hole?
Well, if you want to use strong auth at the proxy side, the proxy needs to be able to check the password itself, and this requires the password.
OpenLDAP's proxy is not a SASL proxy, neither my (partial) knowledge of SASL allows me to state a SASL proxy is at all possible for all mechs. If it is, adding SASL proxying capabilities to OpenLDAP proxy backends would be an interesting extension.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
Dieter Kluenter wrote:
when using proxy authentication with strong bind, the attribute userPassword has to have read access, that is, auth access is not sufficient Is there any particular reason for this potential security hole?
Well, if you want to use strong auth at the proxy side, the proxy needs to be able to check the password itself, and this requires the password.
OpenLDAP's proxy is not a SASL proxy, neither my (partial) knowledge of SASL allows me to state a SASL proxy is at all possible for all mechs. If it is, adding SASL proxying capabilities to OpenLDAP proxy backends would be an interesting extension.
Given that the worthwhile SASL mechanisms are designed to resist man-in-the-middle (MITM) attacks and a proxy is essentially a MITM, I'd say it's not going to happen. The proxy needs to have as much knowledge as the main server.
openldap-software@openldap.org
-
Dieter Kluenter -
Howard Chu -
Pierangelo Masarati