FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 06-15-2008, 10:23 AM
Dael Maselli
 
Default Simple Bind only in secured channel

Hi all,

is there any method to deny simple bind operation unless in a secure
channel (SSL or STARTTLS)? Do I have to write a plug-in? Hints?

Thank you.

Dael Maselli.


--
__________________________________________________ _________________

Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214
__________________________________________________ _________________

Democracy is two wolves and a lamb voting on what to have for lunch
__________________________________________________ _________________
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-15-2008, 10:38 AM
"Diaa Radwan"
 
Default Simple Bind only in secured channel

You can write aci to restrict the authentication method (ssl).

Hope this document would help
https://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Bind_Rules.html

On Sun, Jun 15, 2008 at 1:23 PM, Dael Maselli <Dael.Maselli@lnf.infn.it> wrote:
> Hi all,
>
> is there any method to deny simple bind operation unless in a secure
> channel (SSL or STARTTLS)? Do I have to write a plug-in? Hints?
>
> Thank you.
>
> Dael Maselli.
>
>
> --
> __________________________________________________ _________________
>
> Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214
> __________________________________________________ _________________
>
> Democracy is two wolves and a lamb voting on what to have for lunch
> __________________________________________________ _________________
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

--
Diaa Radwan
http://www.fossology.net

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-15-2008, 10:50 AM
Dael Maselli
 
Default Simple Bind only in secured channel

I'm going to explain it better.

I don't' want a user enter his credential in an unsecured channel.
First I thought to close 389 and allow only 636, but ldaps is now
deprecated and so I need to allow also 389, but if the user do simple
bind before STARTTLS then credentials will be exposed.

I want something like Sendmail does: no clear text auth is allowed
unless the connection is SSL or STARTTLS based.

I hope it is clear now.

Thank you so much.

Dael.


Diaa Radwan, on 15/06/2008 12.38, wrote:

You can write aci to restrict the authentication method (ssl).

Hope this document would help
https://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Bind_Rules.html

On Sun, Jun 15, 2008 at 1:23 PM, Dael Maselli <Dael.Maselli@lnf.infn.it> wrote:

Hi all,

is there any method to deny simple bind operation unless in a secure
channel (SSL or STARTTLS)? Do I have to write a plug-in? Hints?

Thank you.

Dael Maselli.


--
__________________________________________________ _________________

Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214
__________________________________________________ _________________

Democracy is two wolves and a lamb voting on what to have for lunch
__________________________________________________ _________________

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Diaa Radwan
http://www.fossology.net

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
__________________________________________________ _________________

Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214
__________________________________________________ _________________

Democracy is two wolves and a lamb voting on what to have for lunch
__________________________________________________ _________________
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-15-2008, 11:03 AM
Michael Ströder
 
Default Simple Bind only in secured channel

Dael Maselli wrote:

I'm going to explain it better.

I don't' want a user enter his credential in an unsecured channel.
First I thought to close 389 and allow only 636, but ldaps is now
deprecated


Well, most LDAP client software I know of support LDAP over
pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often
not supported by client software.



and so I need to allow also 389, but if the user do simple
bind before STARTTLS then credentials will be exposed.


That's the serious drawback of StartTLS ext. op.


I want something like Sendmail does: no clear text auth is allowed
unless the connection is SSL or STARTTLS based.


Not possible. Even if your server rejects the bind request the
clear-text password is already sent over the wire.


Simply keep using LDAPS.

Ciao, Michael.

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-15-2008, 11:20 AM
Dael Maselli
 
Default Simple Bind only in secured channel

Well... this is terrible!!!

I _need_ also to support GSSAPI auth, and it doesn't work with SSL!

I don't know so much the LDAP protocol, I though the client asks for
capabilities the server when connect, so if is possible do hide the simple
bind capability in clear channel the clients doesn't try simple bind. No?

Please, give me a hint, my institution is going to migrate all Authentication
and Authorization to a system based on FDS and MIT Kerberos. This would be
a very blocking issue.

Dael.


Michael Ströder, on 15/06/2008 13.03, wrote:

Dael Maselli wrote:

I'm going to explain it better.

I don't' want a user enter his credential in an unsecured channel.
First I thought to close 389 and allow only 636, but ldaps is now
deprecated


Well, most LDAP client software I know of support LDAP over
pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often
not supported by client software.



and so I need to allow also 389, but if the user do simple
bind before STARTTLS then credentials will be exposed.


That's the serious drawback of StartTLS ext. op.


I want something like Sendmail does: no clear text auth is allowed
unless the connection is SSL or STARTTLS based.


Not possible. Even if your server rejects the bind request the
clear-text password is already sent over the wire.


Simply keep using LDAPS.

Ciao, Michael.

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
__________________________________________________ _________________

Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214
__________________________________________________ _________________

Democracy is two wolves and a lamb voting on what to have for lunch
__________________________________________________ _________________

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-15-2008, 11:30 AM
Michael Ströder
 
Default Simple Bind only in secured channel

Dael Maselli wrote:


I _need_ also to support GSSAPI auth, and it doesn't work with SSL!


Do you mean you require SASL bind with GSSAPI within the LDAP connection?

The Kerberos authentication itself is not affected by SSL anyway since
the traffic between clients, KDC and servers is protected by shared secrets.



I don't know so much the LDAP protocol, I though the client asks for
capabilities the server when connect, so if is possible do hide the simple
bind capability in clear channel the clients doesn't try simple bind. No?


A well-implemented LDAP client does not send a bind request before
trying StartTLS ext. op. It simply trys StartTLS if configured to do so
(and without looking at the server's capability which could have been
spoofed by an attacker).


But frankly, sometimes when examining what LDAP client applications
(even the ones shipped by expensive big vendors) send on the wire I'm
asking myself what the client developers have smoked before implementing
their application.


So, no you can't prevent a client application from misbehaving when
allowing port 389 and requiring StartTLS.


Ciao, Michael.

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-15-2008, 11:51 AM
Dael Maselli
 
Default Simple Bind only in secured channel

Michael Ströder, on 15/06/2008 13.30, wrote:

Dael Maselli wrote:


I _need_ also to support GSSAPI auth, and it doesn't work with SSL!


Do you mean you require SASL bind with GSSAPI within the LDAP connection?


Yes.



The Kerberos authentication itself is not affected by SSL anyway since
the traffic between clients, KDC and servers is protected by shared
secrets.




Yes, but I remember that if I do something like `ldapsearch -Y GSSAPI -h ldaps://server:636`
it says that GSSAPI is not supported over SSL. Am I wrong?


I don't know so much the LDAP protocol, I though the client asks for
capabilities the server when connect, so if is possible do hide the
simple

bind capability in clear channel the clients doesn't try simple bind. No?


A well-implemented LDAP client does not send a bind request before
trying StartTLS ext. op. It simply trys StartTLS if configured to do so
(and without looking at the server's capability which could have been
spoofed by an attacker).


But frankly, sometimes when examining what LDAP client applications
(even the ones shipped by expensive big vendors) send on the wire I'm
asking myself what the client developers have smoked before implementing
their application.


So, no you can't prevent a client application from misbehaving when
allowing port 389 and requiring StartTLS.


Ciao, Michael.

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
__________________________________________________ _________________

Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214
__________________________________________________ _________________

Democracy is two wolves and a lamb voting on what to have for lunch
__________________________________________________ _________________

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-16-2008, 03:49 PM
Rich Megginson
 
Default Simple Bind only in secured channel

Dael Maselli wrote:

Hi all,

is there any method to deny simple bind operation unless in a secure
channel (SSL or STARTTLS)?
No. This relates to another requested feature, which is the ability to
deny anonymous bind or other anonymous operations. I would like to get
some requirements for such a feature.

* allow simple bind/anonymous operations only over a secure channel?
* allow simple bind/anonymous operations for certain hosts/ip addresses?
* allow only certain anonymous operations, like startTLS and the
password change extop? others?

* other access control features related to the above?

Do I have to write a plug-in? Hints?
Yes, at this point it would have to be a plug-in, most likely a bind
pre-op plug-in.


Thank you.

Dael Maselli.


------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-16-2008, 03:50 PM
Rich Megginson
 
Default Simple Bind only in secured channel

Dael Maselli wrote:

Michael Ströder, on 15/06/2008 13.30, wrote:

Dael Maselli wrote:


I _need_ also to support GSSAPI auth, and it doesn't work with SSL!


Do you mean you require SASL bind with GSSAPI within the LDAP
connection?


Yes.



The Kerberos authentication itself is not affected by SSL anyway
since the traffic between clients, KDC and servers is protected by
shared secrets.




Yes, but I remember that if I do something like `ldapsearch -Y GSSAPI
-h ldaps://server:636`

it says that GSSAPI is not supported over SSL. Am I wrong?
Fedora DS does not support this. Please file a bug for this. There may
already be a bug about this too.





I don't know so much the LDAP protocol, I though the client asks for
capabilities the server when connect, so if is possible do hide the
simple
bind capability in clear channel the clients doesn't try simple
bind. No?


A well-implemented LDAP client does not send a bind request before
trying StartTLS ext. op. It simply trys StartTLS if configured to do
so (and without looking at the server's capability which could have
been spoofed by an attacker).


But frankly, sometimes when examining what LDAP client applications
(even the ones shipped by expensive big vendors) send on the wire I'm
asking myself what the client developers have smoked before
implementing their application.


So, no you can't prevent a client application from misbehaving when
allowing port 389 and requiring StartTLS.


Ciao, Michael.

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users


------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 06-16-2008, 05:00 PM
Gary Windham
 
Default Simple Bind only in secured channel

On Jun 16, 2008, at 8:49 AM, Rich Megginson wrote:


Dael Maselli wrote:

Hi all,

is there any method to deny simple bind operation unless in a secure
channel (SSL or STARTTLS)?
No. This relates to another requested feature, which is the ability
to deny anonymous bind or other anonymous operations. I would like
to get some requirements for such a feature.

* allow simple bind/anonymous operations only over a secure channel?
* allow simple bind/anonymous operations for certain hosts/ip
addresses?
* allow only certain anonymous operations, like startTLS and the
password change extop? others?

* other access control features related to the above?

Do I have to write a plug-in? Hints?
Yes, at this point it would have to be a plug-in, most likely a bind
pre-op plug-in.


I have a bind pre-op plugin that meets the first two requirements; I
would be happy to share it with anyone interested.


Thanks,
--Gary

--
Gary Windham
Senior Enterprise Systems Architect
The University of Arizona, UITS
+1 520 626 5981

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 09:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org