Hello,
What is the proper way to make sure only non-anonymous binds are allowed to utilize idassert-bind credentials?
Reading http://www.openldap.org/faq/data/cache/532.html the following is stated: === Authorize only non-anonymous: idassert-authzFrom "dn:*" ===
It also states: === The idassert-authzFrom mechanism controls whether a client's identity can be asserted or not. The idassert-authzFrom mechanism basically selects what identities can access the identity assertion feature, and indeed should be considered as the set of values of the authzFrom attribute associated to the administrative identity, with the essential difference that, if not present, by default every identity is authorized, including anonymous. ===
These excerpts makes me believe that the expected default behaviour is that a missing idassert-authzFrom will allow anyone, even anonymous binds. That a pattern of "*" is supposed to match non-anon binds is also stated in the slapd.conf man page (https://linux.die.net/man/5/slapd.conf): === A pattern of * means any non-anonymous DN. ===
Then there is this contradictory message I found while looking through the lists: https://www.openldap.org/lists/openldap-technical/200809/msg00096.html
It states: === If you want idassert to work also for anonymous operations (not recommended, as this defeats the security model of the remote server, by letting it believe that the proxy authenticated users while it didn't), you need to explicitly enable it using an idassert-authzFrom rule that includes anonymous, like
idassert-authzFrom "dn.regex:.*" ===
This is more in line with my tests, where removing the "idassert-authzFrom" all together stops an anonymous ldapsearch from returning a result, while adding 'idassert-authzFrom "dn:*"' makes it return results for the anon bind.
I realize there is a difference between the the line from the FAQ ("dn:*") and the line from the mailing list ("dn.regex:.*") but looking at slap_idassert_authzfrom_parse(): https://github.com/openldap/openldap/blob/b06f5b0493937fc28f2cc86df1d7f464aa...
... it appears to me that "*", "dn:*" and "dn.regex:.*" are supposed to be equivalent. I am using the meta backend, but I'm guessing they are sharing code in this case.
The man page for slapd-meta does not state what the result of not configuring a "idassert-authzFrom" is though it seems to yield the results I want (that only properly authenticated connections can make use of the idassert-bind credentials).
I'm guessing one way to make sure only authenticated clients can do anything is to add "require authc" to the config, but it is hard to tell how these things interact, and it would be nice to know what the expected way to configure idassert-authzFrom is (even if it means leaving it unset).
Regards, Patrik Lundin
--On Tuesday, April 02, 2019 12:39 AM +0200 Patrik Lundin patrik@sigterm.se wrote:
Hello,
What is the proper way to make sure only non-anonymous binds are allowed to utilize idassert-bind credentials?
Hi Patrik,
I had an extensive discussion with Howard about this today. Here's the summary:
a) The FAQ is incorrect (I will fix this). b) Pierangelo's email is correct c) "dn:*" and "dn.regex=.*" are equivalent d) The slapd-ldap man page needs to be fixed. I will file an ITS on this. The idassert-authzFrom directive follows the same rules as described in the slapd.conf(5) man page for authz-policy EXCEPT for it special casing "*" to allow anonymous to work.
Hope that helps!
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On Thu, Apr 04, 2019 at 09:01:23AM -0700, Quanah Gibson-Mount wrote:
I had an extensive discussion with Howard about this today. Here's the summary:
a) The FAQ is incorrect (I will fix this). b) Pierangelo's email is correct c) "dn:*" and "dn.regex=.*" are equivalent d) The slapd-ldap man page needs to be fixed. I will file an ITS on this. The idassert-authzFrom directive follows the same rules as described in the slapd.conf(5) man page for authz-policy EXCEPT for it special casing "*" to allow anonymous to work.
Thanks a lot for the clarifictions! Here is the link to the ITS ticket which was communicated via IRC if anyone else is interested: https://www.openldap.org/its/index.cgi/?findid=9003
It would be nice if the man page update included mention of the default behavior when idassert-authzFrom is not set at all. Since the text currently reads "if defined, selects what local identities are authorized to exploit the identity assertion feature" it is hard to tell what happens if it is not defined. Is any identity allowed since there is no filter? Is no identity allowed since there is no filter?
I believe the correct answer is "any identity except anonymous is allowed", and it would be great if this was explicit.
Going back to my original question:
What is the proper way to make sure only non-anonymous binds are allowed to utilize idassert-bind credentials?
Given the above information the proper way would be to not set idassert-authzFrom at all.
Thanks again for taking the time to sort this out!
Regards, Patrik Lundin
openldap-technical@openldap.org
-
Patrik Lundin -
Quanah Gibson-Mount