Possible Kolab LDAP configuration information disclosure

Luca Villani luca.villani at wseurope.com
Wed Apr 21 10:33:00 CEST 2004 

Alle 09:19, mercoledì 21 aprile 2004, Thomas Lotterer ha scritto:



> > What is the gain? (It can be abused also in the encoded form)
>
> Nothing. I agree with Martin.

If you and Martin say this, you never test it:

From slapd.conf:

	rootdn          "cn=Admin,o=Some Company,c=IT"
	rootpw          {SSHA}Lh+KeWTSRMvSX03JUMbkQ01fwA+Uq9Il

A simple test:

[root at soma root]# ldapsearch -x -h localhost -b "o=Some Company,c=IT" \
> -s sub -D "CN=Admin,o=Some Company,c=IT" -W
Enter LDAP Password: {SSHA}Lh+KeWTSRMvSX03JUMbkQ01fwA+Uq9Il
ldap_bind: Inappropriate authentication
[root at soma root]#

Another test, done via Apache ldap authentication, say "Authentication failed. 
Do you want to retry?".


As far as there are no other requirements in Kolab packages, your approach is 
broken by design.
And is discouraged by OpenLDAP guys.


I'm not a coder, I'm a sysadm.
And a BOFH too.
I can not help anyone in developing an application, but I can help in testing 
software and securing application: IMNSHO this is a security bug.
If all you guys want some helps like this, I'm here.


> It is a unresolved problem in computer science that any application
> doing automated authentication using a secret must have the secret
> available. The simplest way is to store it for reading which is what
> Kolab does.

*Where* kolab require "automated authentication"?


> Using encryption does not help anything. If the password can be used in the
> encrypted form it is as valuable as the uncencrypted form.

AFAIK you can't use encrypted form in automated authentication against 
OpenLDAP. Here we are talking about OpenLDAP and Kolab: does Kolab require 
automated authentication against LDAP?


> A simple and still close to solution approach is to protect the storage
> from being read by unauthorized persons. Which should be done.

No: standard QIM installation create a 644 slapd.conf.



Now, just some explanations.
I'm not interesting in polemics, I like Kolab and I'm planning to use it in 
our production environment. I'm taking a look at all security aspects, and 
IMNSHO this *is* a security problem.
If you don't consider it a problem, I simply manually put an encrypted form 
password in my slapd.conf.



-- 
Luca Villani                Wireless Solutions spa - DADA group
NOC manager                 Europe HQ, via Castiglione 25 Bologna
http://www.wseurope.com     Tel: +39 051 2966826    Fax: +39 051 2966800
GPG public key available    Mobile: +39 348 5298542 UIN: 76272621

More information about the users mailing list