Hi

As I have read the StartTLS extended operation seems to be preferred over SSL:

http://www.openldap.org/faq/data/cache/605.html

Therefore I have always used -ZZ with ldap://URI to bind to my server.   Eg:

ldapsearch -ZZ -b base -H ldap://server -D uid=admin,ou=users,base -W cn=search

I thought this would thus encrypt my password by encapsulating the TCP 389 connection with TLS encryption.  However, to my severe dismay, I can see my password in "-d3" debug output, using the above command, as well as when dropping the -ZZ and using ldaps://

Can you please provide guidance?

ldap_url_parse_ext(ldap://ldap.server.domain)
ldap_create
ldap_url_parse_ext(ldap://ldap.server.domain:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.server.domain:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying LDAP_SERVER:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_write: want=31, written=31
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1  
    0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037   
    ldap_result ld 0xdea060 msgid 1
    wait4msg ld 0xdea060 msgid 1 (infinite timeout)
    wait4msg continue ld 0xdea060 msgid 1 all 1
    ** ld 0xdea060 Connections:
    * host: ldap.server.domain  port: 389  (default)
      refcnt: 2  status: Connected
        last used: Fri Sep 22 10:23:35 2017
 
TLS certificate verification: subject: CN=ldap.server.domain,OU=BLAH,issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0

Enter LDAP Password:  <-- I Enter Password

The server logs show:

Sep 22 10:27:41 server slapd[21471]: conn=131126 op=1 BIND dn="admin" method=128
Sep 22 10:27:41 server slapd[21471]: conn=131126 op=1 BIND dn="admin" mech=SIMPLE ssf=0

The password then appears in -d3 output after I authenticate.

However, I do not see the password in tcpdump using a full packet capture on both the client and ldap server.

As expected I do see the password in tcpdump when dropping the -ZZ and using -x for simple bind.

So in summary seeing credentials when using -ZZ and -d3 should not bring concern as they're encrypted over the wire.  So I guess can you explain how "-d3" works?



Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug@med.cornell.edu
O: 212-746-6305
F: 212-746-8690