Hi
As I have read the StartTLS extended operation seems to be preferred over SSL:
Therefore I have always used -ZZ with ldap://URI to bind to my server. Eg:
ldapsearch -ZZ -b base -H ldap://server -D uid=admin,ou=users,base -W cn=search
I thought this would thus encrypt my password by encapsulating the TCP 389 connection with TLS encryption. However, to my severe dismay, I can see my password in "-d3" debug output, using the above command, as well as when dropping the -ZZ and using ldaps://
Can you please provide guidance?
ldap_url_parse_ext(ldap://ldap.server.domain)
ldap_create
ldap_url_parse_ext(ldap://ldap.server.domain:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.server.domain:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying LDAP_SERVER:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 0xdea060 msgid 1
wait4msg ld 0xdea060 msgid 1 (infinite timeout)
wait4msg continue ld 0xdea060 msgid 1 all 1
** ld 0xdea060 Connections:
* host: ldap.server.domain port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Sep 22 10:23:35 2017
TLS certificate verification: subject: CN=ldap.server.domain,OU=BLAH,issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
Enter LDAP Password: <-- I Enter Password
The server logs show:
Sep 22 10:27:41 server slapd[21471]: conn=131126 op=1 BIND dn="admin" method=128
Sep 22 10:27:41 server slapd[21471]: conn=131126 op=1 BIND dn="admin" mech=SIMPLE ssf=0
The password then appears in -d3 output after I authenticate.
However, I do not see the password in tcpdump using a full packet capture on both the client and ldap server.
As expected I do see the password in tcpdump when dropping the -ZZ and using -x for simple bind.
So in summary seeing credentials when using -ZZ and -d3 should not bring concern as they're encrypted over the wire. So I guess can you explain how "-d3" works?
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics