[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap doesn't bind SIMPLE for anonymous auth?

To: Jo Rhett <jrhett@netconsonance.com>
Subject: Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
From: Howard Chu <hyc@symas.com>
Date: Wed, 09 Jun 2010 17:50:09 -0700
Cc: Russ Allbery <rra@stanford.edu>, openldap-technical@openldap.org
In-reply-to: <DFE2372E-A371-43B8-935B-CC4E311B1682@netconsonance.com>
References: <FD13C45B-653C-4E64-B363-3D8B983A258D@netconsonance.com> <201006071150.56950.bgmilne@staff.telkomsa.net> <B1AFB4EE-1B9E-4D7F-9520-7DD344D065A5@netconsonance.com> <87zkz4yp3h.fsf@windlord.stanford.edu> <DFE2372E-A371-43B8-935B-CC4E311B1682@netconsonance.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.3a5pre) Gecko/20100607 Firefox 3.6

Jo Rhett wrote:

On Jun 9, 2010, at 12:37 PM, Russ Allbery wrote:

I can tell you in general why a PAM module would do that.  One of the
....
much faster than the first.  This information disclosure vulnerability
could then be used to further target brute-force password attacks and



I understand that. I believe that my complaint about the logging problem
is

valid. If you look at the log excepts below, it appears that in one scenario
no BIND attempt occurred. Logging it for success but not for failure in the
logs (see where it skips right to send-ldap_result without logging the BIND
attempt) tends to lead someone down the wrong road when debugging the problem.

You're overlooking the obvious fact, which we repeat on these lists far toomany times, that syslog is lossy and cannot be relied on as a debugging aid.There's a reason slapd has an explicit -d debug flag, distinct from the syslogflags.

Your log excerpt here clearly shows that it's sending a reply to an operationwith id op=2, so obviously some other operations have already occurred on thisconnection. (Since operation counters always start from 0.) Either they'remissing from your log or you just didn't snip the right portion of the log.Either way, the fact that there's no Bind request in this snippet doesn't meanthat the Bind request didn't occur, or that slapd didn't attempt to send it tosyslog.

Jun  4 14:58:52 ldap-server slapd[5158]: =>  dn: [1]
Jun  4 14:58:52 ldap-server slapd[5158]: =>  acl_get: [2] attr userPassword
Jun  4 14:58:52 ldap-server slapd[5158]: access_allowed: no res from state (userPassword)
Jun  4 14:58:52 ldap-server slapd[5158]: =>  acl_mask: access to entry "uid=jrhett,ou=Users,dc=equinix,dc=com", attr "userPassword" requested
Jun  4 14:58:52 ldap-server slapd[5158]: =>  acl_mask: to value by "", (=0)
Jun  4 14:58:52 ldap-server slapd[5158]:<= check a_dn_pat: anonymous
Jun  4 14:58:52 ldap-server slapd[5158]:<= acl_mask: [1] applying auth(=xd) (stop)
Jun  4 14:58:52 ldap-server slapd[5158]:<= acl_mask: [1] mask: auth(=xd)
Jun  4 14:58:52 ldap-server slapd[5158]: =>  access_allowed: auth access granted by auth(=xd)
Jun  4 14:58:52 ldap-server slapd[5158]: send_ldap_result: conn=75 op=2 p=3
Jun  4 14:58:52 ldap-server slapd[5158]: send_ldap_result: err=49 matched="" text=""
Jun  4 14:58:52 ldap-server slapd[5158]: send_ldap_response: msgid=3 tag=97 err=49
Jun  4 14:58:52 ldap-server slapd[5158]: conn=75 op=2 RESULT tag=97 err=49 text=


Jun  4 15:02:54 ldap-server slapd[5158]: =>  acl_get: [2] attr userPassword
Jun  4 15:02:54 ldap-server slapd[5158]: access_allowed: no res from state (userPassword)
Jun  4 15:02:54 ldap-server slapd[5158]: =>  acl_mask: access to entry "uid=jrhett,ou=Users,dc=equinix,dc=com", attr "userPassword" requested
Jun  4 15:02:54 ldap-server slapd[5158]: =>  acl_mask: to value by "", (=0)
Jun  4 15:02:54 ldap-server slapd[5158]:<= check a_dn_pat: anonymous
Jun  4 15:02:54 ldap-server slapd[5158]:<= acl_mask: [1] applying auth(=xd) (stop)
Jun  4 15:02:54 ldap-server slapd[5158]:<= acl_mask: [1] mask: auth(=xd)
Jun  4 15:02:54 ldap-server slapd[5158]: =>  access_allowed: auth access granted by auth(=xd)
Jun  4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 BIND dn="uid=jrhett,ou=Users,dc=equinix,dc=com" mech=SIMPLE ssf=0
Jun  4 15:02:54 ldap-server slapd[5158]: do_bind: v3 bind: "uid=jrhett,ou=Users,dc=equinix,dc=com" to "uid=jrhett,ou=Users,dc=equinix,dc=com"
Jun  4 15:02:54 ldap-server slapd[5158]: send_ldap_result: conn=83 op=0 p=3
Jun  4 15:02:54 ldap-server slapd[5158]: send_ldap_result: err=0 matched="" text=""
Jun  4 15:02:54 ldap-server slapd[5158]: send_ldap_response: msgid=1 tag=97 err=0
Jun  4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 RESULT tag=97 err=0 text=
Jun  4 15:02:54 ldap-server slapd[5158]: daemon: activity on 1 descriptor
Jun  4 15:02:54 ldap-server slapd[5158]: daemon: activity on:



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- pam_ldap doesn't bind SIMPLE for anonymous auth?
  - From: Jo Rhett <jrhett@netconsonance.com>
- Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
  - From: Jo Rhett <jrhett@netconsonance.com>
- Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
  - From: Russ Allbery <rra@stanford.edu>
- Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
  - From: Jo Rhett <jrhett@netconsonance.com>

Prev by Date: Re: help SSL on Openldap and java
Next by Date: Best practices LDAP root domain name
Index(es):
- Chronological
- Thread