OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Contrib/8267
Full headers

From: ingo.voss@gmail.com
Subject: contributing a new overlay unicodepw
Compose comment
Download message
State:
0 replies:
5 followups: 1 2 3 4 5

Major security issue: yes  no

Notes:

Notification:


Date: Sat, 10 Oct 2015 19:32:21 +0000
From: ingo.voss@gmail.com
To: openldap-its@OpenLDAP.org
Subject: contributing a new overlay unicodepw
Full_Name: Ingo Voss
Version: 
OS: 
URL: ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
Submission from: (NULL) (78.53.86.212)


Hello,

I wrote a small overlay, that restricts all LDAP modification requests, so that
only password changes for MS unicodePwd are possible.  
All  other  LDAP requests will not be observed.
If someone needs a read-only proxy (in a e.g. dmz) for an MS Active Directory,
but password changes must be possible, then unicodepw is the right overlay.
For more informations, a manual page is included.

Kindly regards

Ingo Voss

Followup 1

Download message
Date: Sun, 11 Oct 2015 20:33:54 +0200
Subject: ITS#8267
From: Ingo Voss <ingo.voss@gmail.com>
To: openldap-its@openldap.org
Hello,

after rereading, I=E2=80=99ve made a few changes in the manual page, so tha=
t
the old tar package can be discarded.
Please use instead the old package now:
ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw-151011.tar

Thanks,
kindly regards

Ingo Voss



Followup 2

Download message
Subject: Re: (ITS#8267) contributing a new overlay unicodepw
To: ingo.voss@gmail.com, openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Sat, 17 Oct 2015 19:58:13 +0100
ingo.voss@gmail.com wrote:
> Full_Name: Ingo Voss
> Version:
> OS:
> URL: ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
> Submission from: (NULL) (78.53.86.212)
>
>
> Hello,
>
> I wrote a small overlay, that restricts all LDAP modification requests, so
that
> only password changes for MS unicodePwd are possible.
> All  other  LDAP requests will not be observed.
> If someone needs a read-only proxy (in a e.g. dmz) for an MS Active
Directory,
> but password changes must be possible, then unicodepw is the right overlay.
> For more informations, a manual page is included.

If you want a read-only proxy, shouldn't this overlay also intercept and deny 
all Add/Delete/ModDN requests?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 3

Download message
Subject: Re: (ITS#8267) contributing a new overlay unicodepw
To: Howard Chu <hyc@symas.com>, ingo.voss@gmail.com, openldap-its@OpenLDAP.org
From: Ingo Voss <ingo.voss@freenet.de>
Date: Sun, 18 Oct 2015 17:23:47 +0200

Am 17.10.2015 um 20:58 schrieb Howard Chu:
> ingo.voss@gmail.com wrote:
>> Full_Name: Ingo Voss
>> Version:
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
>> Submission from: (NULL) (78.53.86.212)
>>
>>
>> Hello,
>>
>> I wrote a small overlay, that restricts all LDAP modification 
>> requests, so that
>> only password changes for MS unicodePwd are possible.
>> All  other  LDAP requests will not be observed.
>> If someone needs a read-only proxy (in a e.g. dmz) for an MS Active 
>> Directory,
>> but password changes must be possible, then unicodepw is the right 
>> overlay.
>> For more informations, a manual page is included.
>
> If you want a read-only proxy, shouldn't this overlay also intercept 
> and deny all Add/Delete/ModDN requests?
>

Yes, you are right! But such overlay (denyop) exist already and it is 
working well.
The manual page for unicodepw refers to denyop and describes the 
complete configuration in detail.

Kindly regards
Ingo



Followup 4

Download message
Subject: Re: (ITS#8267) contributing a new overlay unicodepw
To: Ingo Voss <ingo.voss@freenet.de>, ingo.voss@gmail.com,
 openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Sun, 25 Oct 2015 08:28:20 +0000
Ingo Voss wrote:
>
>
> Am 17.10.2015 um 20:58 schrieb Howard Chu:
>> ingo.voss@gmail.com wrote:
>>> Full_Name: Ingo Voss
>>> Version:
>>> OS:
>>> URL: ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
>>> Submission from: (NULL) (78.53.86.212)
>>>
>>>
>>> Hello,
>>>
>>> I wrote a small overlay, that restricts all LDAP modification
requests, so
>>> that
>>> only password changes for MS unicodePwd are possible.
>>> All  other  LDAP requests will not be observed.
>>> If someone needs a read-only proxy (in a e.g. dmz) for an MS Active
Directory,
>>> but password changes must be possible, then unicodepw is the right
overlay.
>>> For more informations, a manual page is included.
>>
>> If you want a read-only proxy, shouldn't this overlay also intercept
and
>> deny all Add/Delete/ModDN requests?
>>
>
> Yes, you are right! But such overlay (denyop) exist already and it is
working
> well.
> The manual page for unicodepw refers to denyop and describes the complete
> configuration in detail.

OK.

This code is full of C++ comments. OpenLDAP uses C comments only.

This code is full of SPACEs for indentation. OpenLDAP uses TAB characters for 
indentation, with 4-column tab stops.

Your debug messages are using STATS debug level. STATS is reserved for LDAP 
operation/parameter logging only and is the default level. Code should be 
silent at the default level unless major errors have occurred.

This code cannot be accepted in its current form.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 5

Download message
Date: Thu, 5 Nov 2015 12:09:49 +0100
Subject: Re: (ITS#8267) contributing a new overlay unicodepw
From: Ingo Voss <ingo.voss@gmail.com>
To: Howard Chu <hyc@symas.com>
Cc: Ingo Voss <ingo.voss@freenet.de>, openldap-its@openldap.org
2015-10-25 9:28 GMT+01:00 Howard Chu <hyc@symas.com>:
> Ingo Voss wrote:
>>
>>
>>
>> Am 17.10.2015 um 20:58 schrieb Howard Chu:
>>>
>>> ingo.voss@gmail.com wrote:
>>>>
>>>> Full_Name: Ingo Voss
>>>> Version:
>>>> OS:
>>>> URL:
ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
>>>> Submission from: (NULL) (78.53.86.212)
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I wrote a small overlay, that restricts all LDAP modification
requests,
>>>> so
>>>> that
>>>> only password changes for MS unicodePwd are possible.
>>>> All  other  LDAP requests will not be observed.
>>>> If someone needs a read-only proxy (in a e.g. dmz) for an MS
Active
>>>> Directory,
>>>> but password changes must be possible, then unicodepw is the
right
>>>> overlay.
>>>> For more informations, a manual page is included.
>>>
>>>
>>> If you want a read-only proxy, shouldn't this overlay also
intercept and
>>> deny all Add/Delete/ModDN requests?
>>>
>>
>> Yes, you are right! But such overlay (denyop) exist already and it is
>> working
>> well.
>> The manual page for unicodepw refers to denyop and describes the
complete
>> configuration in detail.
>
>
> OK.
>
> This code is full of C++ comments. OpenLDAP uses C comments only.
>
> This code is full of SPACEs for indentation. OpenLDAP uses TAB characters
> for indentation, with 4-column tab stops.

OK, I'll change that.

>
> Your debug messages are using STATS debug level. STATS is reserved for LDAP
> operation/parameter logging only and is the default level. Code should be
> silent at the default level unless major errors have occurred.

Please can you guide me what log level should be used for such
security related messages?
The messages are only logged, if a password is changed. (Normally,
password changes are very seldom and makes low noise.)

Thanks Ingo


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org