Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

login_ldap security announcement

From: Peter Werner <peterw () ifost org au>
Date: Fri, 21 Feb 2003 09:09:36 +1100
Sebastian Stark from Directory Applications for Advanced Security and 
Information Management (http://www.daasi.de) has found a serious issue 
with login_ldap, affecting all versions. login_ldap is a BSD 
Authentication module for authenticating users off an LDAP server, and 
runs on OpenBSD and BSD/OS. It is third party software, and is not 
part of OpenBSD or BSD/OS.


From http://www.openldap.org/doc/admin/security.html


"An unauthenticated bind results in an anonymous authorization. 
Unauthenticated bind mechanism is disabled by default, but can 
be enabled by specifying "allow bind_anon_cred" in slapd.conf(5). 
As a number of LDAP applications mistakenly generate 
unauthenticated bind request when authenticated access was 
intended (that is, they do not ensure a password was provided), 
this mechanism should generally not be enabled."

In OpenLDAP 2.0.x, the following operations lead to an anonymous bind
by default:

 - BIND with DN set but no password provided (bind_anon_dn)
 - BIND with no DN but a password was provided (bind_anon_cred)
 - BIND with no DN and no password (bind_anon)

You can disable any of those BIND methods by putting 'disallow
<feature>' into your slapd.conf where <feature> stands for the
corresponding keyword given in parentheses above.

In OpenLDAP 2.1.x all but bind_anon are disabled by default. For an
authentication service this is probably what most people want.

login_ldap has been updated to check that a password has been provided.

It is available here: http://www.ifost.org.au/~peterw/login_ldap-3.3.tar.gz
MD5 (login_ldap-3.3.tar.gz) = 52e905d54a136c3d850158f4f7548a3f

The other main change is it no longer installed setuid root, please see the
README included for more information.

I would encourage other people writing LDAP applications to check their 
software for this issue. Many thanks to Sebastian for his help with this
issue, work on a suitable fix and this advisory.

Peter Werner
Feb 21, 2003
--
IFOST: http://www.ifost.org.au
Previous By Date Next
Previous By Thread Next

Current thread: