From: Quanah Gibson-Mount Date: Wed, 28 May 2008 19:46:50 +0000 (+0000) Subject: ITS#5524 X-Git-Tag: OPENLDAP_REL_ENG_2_4_10~10 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=0792d7ba29c4e8147c1af5bb10a4227985229e98;p=openldap ITS#5524 --- diff --git a/CHANGES b/CHANGES index cfbad59360..0914d6e62e 100644 --- a/CHANGES +++ b/CHANGES @@ -24,6 +24,7 @@ OpenLDAP 2.4.10 Engineering Fixed slapo-unique filter terminator (ITS#5511) Documentation Add search privileges documentation (ITS#5512) + admin24 security document updates (ITS#5524) OpenLDAP 2.4.9 Release (2008/05/07) Fixed libldap to use unsigned port (ITS#5436) diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws index b523bfba19..e779d4e8d3 100644 --- a/doc/guide/admin/aspell.en.pws +++ b/doc/guide/admin/aspell.en.pws @@ -1,12 +1,12 @@ -personal_ws-1.1 en 1598 +personal_ws-1.1 en 1634 commonName bla Masarati subjectAltName api BhY -olcSyncrepl olcSyncRepl +olcSyncrepl adamsom adamson CER @@ -38,8 +38,8 @@ DIB dev reqNewSuperior librewrite -memberOf memberof +memberOf BSI updateref buf @@ -64,6 +64,7 @@ CRP postread csn xvfB +checkpass neverDerefaliases dns DN's @@ -87,8 +88,8 @@ dlopen eng AttributeValue attributevalue -EOF DUA +EOF inputfile DSP refreshDone @@ -123,10 +124,10 @@ iff contextCSN auditModify auditSearch -openldap OpenLDAP -resultCode +openldap resultcode +resultCode sysconfig indices blen @@ -137,14 +138,17 @@ directoryString database's iscritical gss +qbuaQ ZKKuqbEKJfKSXhUbHG invalidAttributeSyntax subtree Kartik newparent +DkMTwBl memcalloc ing filtertype +XKqkdPOmY regcomp ldapmodify includedir @@ -159,13 +163,13 @@ argv kdz notAllowedOnRDN hostport -starttls StartTLS +starttls ldb servercredp ldd -ipv IPv +ipv hyc joe bindmethods @@ -189,16 +193,16 @@ attrstyle directoryOperation creatorsName mem -oldpasswdfile oldPasswdFile +oldpasswdfile uniqueMember krb libpath acknowledgements jts createTimestamp -LLL MIB +LLL OpenSSL openssl LOF @@ -217,6 +221,7 @@ LDAPMatchingRule bool LRL CPPFLAGS +yWpR schemadir desc lud @@ -232,14 +237,15 @@ oid msg attr caseExactOrderingMatch +TmkzUAb Subbarao aeeiib oidlen submatches -olc PEM -PDU +olc OLF +PDU LDAPSchemaExtensionItem auth Pierangelo @@ -249,6 +255,7 @@ subdirectories OLP pwdPolicyChecker subst +mux singleLevel cleartext numattrsets @@ -277,9 +284,9 @@ rdn wZFQrDD OTP olcSizeLimit -pos -sbi PRD +sbi +pos pre sudoadm stringal @@ -287,6 +294,7 @@ retoidp sdf efgh accesslog +PSH sed cond qdescrs @@ -296,9 +304,10 @@ ldapmodrdn sel bvec TBC +HtZhZS stringbv -Sep SHA +Sep ptr conn pwd @@ -315,8 +324,8 @@ myOID supportedSASLMechanism supportedSASLmechanism realnamingcontext -SMD UCD +SMD keytab portnumber uncached @@ -329,8 +338,8 @@ sasldb UCS searchDN keytbl -tgz UDP +tgz freemods prepend errText @@ -347,22 +356,22 @@ crit objectClassViolation ssf ldapfilter -rwm -TOC vec +TOC +rwm pwdChangedTime tls peernamestyle xpasswd -tmp SRP +tmp SSL dupbv CPUs SRV entrymods -rwx sss +rwx reqNewRDN nopresent rebindproc @@ -372,11 +381,13 @@ syncIdSet cron accesslevel accessor's +czBJdDqS keyval alloc saslpasswd README maxentries +QWGWZpj ttl undefinedAttributeType peercred @@ -417,10 +428,11 @@ memberURL sudoers pwdMaxFailure pseudorootdn +MezRroT GDBM LIBRELEASE -DSAs DSA's +DSAs realloc booleanMatch compareTrue @@ -432,6 +444,7 @@ rwxrwxrwx al realself cd +aQ ar olcDatabaseConfig de @@ -447,6 +460,7 @@ dn fG DS fi +EO allmail du eq @@ -477,8 +491,8 @@ pwdMinLength iZ ldapdelete xyz -RDBMs rdbms +RDBMs extparam mk ng @@ -533,6 +547,7 @@ cacert notAllowedOnNonLeaf attrname olcTLSCipherSuite +Xr x's xw octetStringMatch @@ -541,8 +556,8 @@ ZZ LDVERSION testAttr backend -backend's backends +backend's BerValues Solaris structs @@ -554,9 +569,9 @@ ostring policyDN testObject pwdMaxAge -bindDn -bindDN binddn +bindDN +bindDn distributedOperation schemachecking strvals @@ -588,6 +603,7 @@ serverctrls recursivegroup integerMatch moduledir +BlpQmtczb dynstyle bindpw AUTHNAME @@ -598,14 +614,14 @@ IEEE regex SIGINT slappasswd -errAbsObject errABsObject +errAbsObject ldapexop -objectidentifier objectIdentifier +objectidentifier deallocators -MirrorMode mirrormode +MirrorMode loopDetect SIGHUP authMethodNotSupported @@ -622,8 +638,8 @@ filtercomp expr syntaxes memrealloc -returnCode returncode +returnCode OpenLDAP's exts bitstringa @@ -638,6 +654,7 @@ ietf olcSchemaConfig bitstrings bvalues +hmev realdnattr attrpair affectsMultipleDSAs @@ -646,8 +663,8 @@ lastName lldap cachesize slapauth -attributetype attributeType +attributetype GSER olcDbNosync typedef @@ -664,14 +681,16 @@ monitoredObject TLSVerifyClient noidlen LDAPNOINIT -pwdGraceAuthNLimit pwdGraceAuthnLimit +pwdGraceAuthNLimit hnPk +userpassword userPassword noanonymous LIBVERSION symas dcedn +glibc sublevel chroot posixGroup @@ -682,12 +701,14 @@ frontend someotherdomain proxying organisations +IMAP rewriteMap monitoredInfo -modrdn -ModRDN modrDN +ModRDN +modrdn HREF +DQTxCYEApdUtNXGgdUac inline multiproxy reqSizeLimit @@ -698,8 +719,8 @@ reqReferral rlookups siiiib LTSTATIC -timeLimitExceeded timelimitExceeded +timeLimitExceeded XKYnrjvGT subtrees unixODBC @@ -711,8 +732,8 @@ reqDN dnstyle inet schemas -pwdPolicySubEntry pwdPolicySubentry +pwdPolicySubEntry reqId scanf olcBackend @@ -721,6 +742,7 @@ Arial init runtime onelevel +YtNFk impl Autoconf stderr @@ -737,6 +759,7 @@ olcModuleList pwdSafeModify html multimaster +GCmfuqEvm testrun rewriteEngine slapdindex @@ -751,8 +774,8 @@ POSIX pathname noSuchObject proxyOld -berelement BerElement +berelement sbiod plugin http @@ -762,8 +785,8 @@ ldbm numericStringSubstringsMatch internet storages -whoami WhoAmI +whoami criticality addBlanks logins @@ -772,6 +795,7 @@ dbnum operationsError homePhone testTwo +BmIwN ldif entryAlreadyExists plaintext @@ -903,6 +927,7 @@ concat realanonymous invalue refreshOnly +pwcheck filesystem Naur unwillingToPerform @@ -924,6 +949,7 @@ negttl logevels AAQSkZJRgABAAAAAQABAAD strcast +aUihad failover constraintViolation cacheable @@ -968,6 +994,7 @@ basename groupOfUniqueNames DHAVE ludp +oPdklp entryUUID ldapapiinfo SampleLDAP @@ -1013,12 +1040,14 @@ typeB nelems subord namingViolation +PCOq inappropriateAuthentication mixin suders syntaxOID olcTLSCACertificateFile IGJlZ +userPrincipalName TLSCipherSuite auditlog runningslapd @@ -1059,6 +1088,7 @@ searchResultEntry PIII olcDbShmKey substr +testsaslauthd reqRespControls XXXXXXXXXX MANSECT @@ -1081,6 +1111,7 @@ dcObject supportedControl addprinc logbase +oMxg filterlist generalizedTimeMatch Google @@ -1204,6 +1235,7 @@ lucyB entryUUIDs reqEntries sockbuf +wrongpassword olcSaslSecprops olcSaslSecProps dnSubtreeMatch @@ -1296,6 +1328,7 @@ SMTP srvtab ldapadd sprintf +spasswd monitorCounterObject Instanstantiation olcDbConfig @@ -1362,6 +1395,7 @@ argsfile attrvalue deallocate msgid +ilOzQ modulepath logfile Supr @@ -1513,6 +1547,7 @@ ABNF dnpattern perror MSSQL +VUld SmVuc ACIs errmsgp @@ -1552,8 +1587,8 @@ wBDARESEhgVG multi aaa ldaprc -updatedn UpdateDN +updatedn LDAPBASE LDAPAPIFeatureInfo authzTo @@ -1593,7 +1628,8 @@ ber slimit ali attributeoptions +BfQ uidNumber -CAs CA's +CAs namingContext diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf index cd2d9b8f6c..10f11d7b45 100644 --- a/doc/guide/admin/security.sdf +++ b/doc/guide/admin/security.sdf @@ -1,5 +1,6 @@ # $OpenLDAP$ # Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved. +# Portions Copyright 2008 Andrew Findlay. # COPYING RESTRICTIONS APPLY, see COPYRIGHT. H1: Security Considerations @@ -58,7 +59,8 @@ to the server. For example, the {{host_options}}(5) rule: allows only incoming connections from the private network {{F:10.0.0.0}} and localhost ({{F:127.0.0.1}}) to access the directory service. -Note that IP addresses are used as {{slapd}}(8) is not normally + +Note: IP addresses are used as {{slapd}}(8) is not normally configured to perform reverse lookups. It is noted that TCP wrappers require the connection to be accepted. @@ -127,10 +129,11 @@ requested by providing a valid name and password. An anonymous bind results in an {{anonymous}} authorization association. Anonymous bind mechanism is enabled by default, but can be disabled by specifying "{{EX:disallow bind_anon}}" in -{{slapd.conf}}(5). Note that disabling the anonymous bind mechanism -does not prevent anonymous access to the directory. To require -authentication to access the directory, one should instead -specify "{{EX:require authc}}". +{{slapd.conf}}(5). + +Note: Disabling the anonymous bind mechanism does not prevent +anonymous access to the directory. To require authentication to +access the directory, one should instead specify "{{EX:require authc}}". An unauthenticated bind also results in an {{anonymous}} authorization association. Unauthenticated bind mechanism is disabled by default, @@ -158,12 +161,250 @@ binds to use encryption of DES equivalent or better. The user/password authenticated bind mechanism can be completely disabled by setting "{{EX:disallow bind_simple}}". -Note: An unsuccessful bind always results in the session having +Note: An unsuccessful bind always results in the session having an {{anonymous}} authorization association. H3: SASL method -The LDAP {{TERM:SASL}} method allows use of any SASL authentication -mechanism. The {{SECT:Using SASL}} discusses use of SASL. +The LDAP {{TERM:SASL}} method allows the use of any SASL authentication +mechanism. The {{SECT:Using SASL}} section discusses the use of SASL. + +H2: Password Storage + +LDAP passwords are normally stored in the {{userPassword}} attribute. +{{REF:RFC4519}} specifies that passwords are not stored in encrypted form, +but this can create an unwanted security exposure so {{slapd}} provides +several options for the administrator to choose from. + +The {{userPassword}} attribute is allowed to have more than one value, +and it is possible for each value to be stored in a different form. +During authentication, {{slapd}} will iterate through the values +until it finds one that matches the offered password or until it +runs out of values to inspect. The storage scheme is stored as a prefix +on the value, so a Unix {{crypt}}-style password might look like this: + +> userPassword: {CRYPT}.7D8U/PCF00Hw + +In general, it is safest to store passwords in a salted hashed format +like SSHA. This makes it very hard for an attacker to derive passwords +from stolen backups or by obtaining access to the on-disk {{slapd}} +database. + +The disadvantage of hashed storage is that it prevents the use of some +authentication mechanisms such as {{EX:DIGEST-MD5}}. + +H3: CLEARTEXT password storage scheme + +Cleartext passwords can be stored directly in the {{userPassword}} +attribute, or can have the '{CLEARTEXT}' prefix. These two values are +equivalent: + +> userPassword: secret +> userPassword: {CLEARTEXT}secret + +H3: CRYPT password storage scheme + +This scheme uses the operating system's {{crypt(3)}} hash function. +It normally produces the traditional Unix-style 13 character hash, but +on systems with {{EX:glibc2}} it can also generate the more secure +34-byte MD5 hash. + +> userPassword: {CRYPT}aUihad99hmev6 +> userPassword: {CRYPT}$1$czBJdDqS$TmkzUAb836oMxg/BmIwN.1 + +The advantage of the CRYPT scheme is that passwords can be +transferred to or from an existing Unix password file without having +to know the cleartext form. Both forms of {{crypt}} include salt so +they have some resistance to dictionary attacks. + + +Note: Since this scheme uses the operation system's {{crypt(3)}} hash function, +it is therefore operation system specific. + +H3: MD5 password storage scheme + +This scheme simply takes the MD5 hash of the password and stores it in +base64 encoded form: + +> userPassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== + +Although safer than cleartext storage, this is not a very secure +scheme. The MD5 algorithm is fast, and because there is no salt the +scheme is vulnerable to a dictionary attack. + +H3: SMD5 password storage scheme + +This improves on the basic MD5 scheme by adding salt (random data +which means that there are many possible representations of a given +plaintext password). For example, both of these values represent the +same password: + +> userPassword: {SMD5}4QWGWZpj9GCmfuqEvm8HtZhZS6E= +> userPassword: {SMD5}g2/J/7D5EO6+oPdklp5p8YtNFk4= + +H3: SHA password storage scheme + +Like the MD5 scheme, this simply feeds the password through an SHA +hash process. SHA is thought to be more secure than MD5, but the lack +of salt leaves the scheme exposed to dictionary attacks. + +> userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= + +H3: SSHA password storage scheme + +This is the salted version of the SHA scheme. It is believed to be the +most secure password storage scheme supported by {{slapd}}. + +These values represent the same password: + +> userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3 +> userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb + +H3: SASL password storage scheme + +This is not really a password storage scheme at all. It uses the +value of the {{userPassword}} attribute to delegate password +verification to another process. See below for more information. + +Note: This is not the same as using SASL to authenticate the LDAP +session. + +H3: KERBEROS password storage scheme + +This is not really a password storage scheme at all. It uses the +value of the {{userPassword}} attribute to delegate password +verification to Kerberos. + +Note: This is not the same as using Kerberos authentication of +the LDAP session. + +This scheme could be said to defeat the advantages of Kerberos by +causing the Kerberos password to be exposed to the {{slapd}} server +(and possibly on the network as well). + +H2: Pass-Through authentication + +Since OpenLDAP 2.0 {{slapd}} has had the ability to delegate password +verification to a separate process. This uses the {{sasl_checkpass(3)}} +function so it can use any back-end server that Cyrus SASL supports for +checking passwords. The choice is very wide, as one option is to use +{{saslauthd(8)}} which in turn can use local files, Kerberos, an IMAP +server, another LDAP server, or anything supported by the PAM mechanism. + +The server must be built with the {{EX:--enable-spasswd}} +configuration option to enable pass-through authentication. + +Note: This is not the same as using a SASL mechanism to +authenticate the LDAP session. + +Pass-Through authentication works only with plaintext passwords, as +used in the "simple bind" and "SASL PLAIN" authentication mechanisms.}} + +Pass-Through authentication is selective: it only affects users whose +{{userPassword}} attribute has a value marked with the "{SASL}" +scheme. The format of the attribute is: + +> userPassword: {SASL}username@realm + +The {{username}} and {{realm}} are passed to the SASL authentication +mechanism and are used to identify the account whose password is to be +verified. This allows arbitrary mapping between entries in OpenLDAP +and accounts known to the backend authentication service. + +Note: There is no support for changing passwords in the backend +via {{slapd}}. + +It would be wise to use access control to prevent users from changing +their passwords through LDAP where they have pass-through authentication +enabled. + + +H3: Configuring slapd to use an authentication provider + +Where an entry has a "{SASL}" password value, OpenLDAP delegates the +whole process of validating that entry's password to Cyrus SASL. All +the configuration is therefore done in SASL config files. + +The first +file to be considered is confusingly named {{slapd.conf}} and is +typically found in the SASL library directory, often +{{EX:/usr/lib/sasl2/slapd.conf}} This file governs the use of SASL +when talking LDAP to {{slapd}} as well as the use of SASL backends for +pass-through authentication. See {{EX:options.html}} in the {{PRD:Cyrus SASL}} +docs for full details. Here is a simple example for a server that will +use {{saslauthd}} to verify passwords: + +> mech_list: plain +> pwcheck_method: saslauthd +> saslauthd_path: /var/run/sasl2/mux + +H3: Configuring saslauthd + +{{saslauthd}} is capable of using many different authentication +services: see {{saslauthd(8)}} for details. A common requirement is to +delegate some or all authentication to another LDAP server. Here is a +sample {{EX:saslauthd.conf}} that uses Microsoft Active Directory (AD): + +> ldap_servers: ldap://dc1.example.com/ ldap://dc2.example.com/ +> +> ldap_search_base: cn=Users,DC=ad,DC=example,DC=com +> ldap_filter: (userPrincipalName=%u) +> +> ldap_bind_dn: cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com +> ldap_password: secret + +In this case, {{saslauthd}} is run with the {{EX:ldap}} authentication +mechanism and is set to combine the SASL realm with the login name: + +> saslauthd -a ldap -r + +This means that the "username@realm" string from the {{userPassword}} +attribute ends up being used to search AD for +"userPrincipalName=username@realm" - the password is then verified by +attempting to bind to AD using the entry found by the search and the +password supplied by the LDAP client. + +H3: Testing pass-through authentication + +It is usually best to start with the back-end authentication provider +and work through {{saslauthd}} and {{slapd}} towards the LDAP client. + +In the AD example above, first check that the DN and password that +{{saslauthd}} will use when it connects to AD are valid: + +> ldapsearch -x -H ldap://dc1.example.com/ \ +> -D cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com \ +> -w secret \ +> -b '' \ +> -s base + +Next check that a sample AD user can be found: + +> ldapsearch -x -H ldap://dc1.example.com/ \ +> -D cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com \ +> -w secret \ +> -b cn=Users,DC=ad,DC=example,DC=com \ +> "(userPrincipalName=user@ad.example.com)" + +Check that the user can bind to AD: + +> ldapsearch -x -H ldap://dc1.example.com/ \ +> -D cn=user,cn=Users,DC=ad,DC=example,DC=com \ +> -w userpassword \ +> -b cn=user,cn=Users,DC=ad,DC=example,DC=com \ +> -s base \ +> "(objectclass=*)" + +If all that works then {{saslauthd}} should be able to do the same: + +> testsaslauthd -u user@ad.example.com -p userpassword +> testsaslauthd -u user@ad.example.com -p wrongpassword + +Now put the magic token into an entry in OpenLDAP: + +> userPassword: {SASL}user@ad.example.com + +It should now be possible to bind to OpenLDAP using the DN of that +entry and the password of the AD user.