OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/7420
Full headers

From: kmenshikov@hostcomm.ru
Subject: Way to bypass overlay unique and constranit
Compose comment
Download message
State:
0 replies:
1 followups: 1

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 23 Oct 2012 06:46:49 +0000
From: kmenshikov@hostcomm.ru
To: openldap-its@OpenLDAP.org
Subject: Way to bypass overlay unique and constranit
Full_Name: Konstantin Menshikov
Version: 2.4.33
OS: FreeBSD 8.2-RELEASE-p4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (212.116.101.94)


Overlay unique and constraint use list attributes for check.
If we use restriction by rdn (attribute cn for example), and don`t add attribute
cn in ldif-file, we can bypass restriction.

Overlay unique look list attributes in op->ora_e->e_attrs,
if this list not contain attribute cn, checks isn`t running.

IMHO: problem not in overlays, but in slapd code, that allow add object without
explicit set rdn.


Example configuration:
[root@rdn.problem openldap]# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/corba.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/java.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/sudo.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/spamassassin.schema
include         /usr/local/etc/openldap/schema/openssh-lpk.schema
include         /usr/local/etc/openldap/schema/vega-base.schema
include         /usr/local/etc/openldap/schema/vega-corp.schema
include         /usr/local/etc/openldap/schema/vega-net.schema
include         /usr/local/etc/openldap/schema/oversun-base.schema
include         /usr/local/etc/openldap/schema/oversun-corp.schema
include         /usr/local/etc/openldap/schema/oversun-mail.schema
include         /usr/local/etc/openldap/schema/oversun-net.schema
include         /usr/local/etc/openldap/schema/asterisk.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
loglevel        config stats sync trace

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_hdb

database        hdb
suffix          "o=company"
rootdn          "cn=ldapadm,o=company"
rootpw          password
directory       /var/db/openldap-data/o=company

overlay unique
unique_uri 	ldap:///ou=groups,o=company?cn?sub

How to repeat:

[root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
ldap://127.0.0.5:389 -f /root/add.ldif.false 
adding new entry "cn=test,ou=system,ou=groups,o=company"
ldap_add: Constraint violation (19)
	additional info: some attributes not unique

[root@rdn.problem openldap]# cat /root/add.ldif.false
dn: cn=test,ou=system,ou=groups,o=company
changetype: add
objectClass: posixGroup
description: test
cn: test
gidNumber: 1000
[root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
ldap://127.0.0.5:389 -f /root/add.ldif.true 
adding new entry "cn=test,ou=system,ou=groups,o=company"

[root@rdn.problem openldap]# cat /root/add.ldif.true 
dn: cn=test,ou=system,ou=groups,o=company
changetype: add
objectClass: posixGroup
description: test
gidNumber: 1000
[root@rdn.problem openldap]# diff -U 3 /root/add.ldif.false /root/add.ldif.true

--- /root/add.ldif.false	2012-10-23 06:22:16.000000000 +0000
+++ /root/add.ldif.true	2012-10-23 06:22:25.000000000 +0000
@@ -2,5 +2,4 @@
 changetype: add
 objectClass: posixGroup
 description: test
-cn: test
 gidNumber: 1000


Log file records:

Oct 23 06:23:21 rdn slapd[44326]: slap_listener_activate(6): 
Oct 23 06:23:21 rdn slapd[44326]: >>> slap_listener(ldap://)
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 fd=10 ACCEPT from IP=127.0.0.5:17098
(IP=0.0.0.0:389)
Oct 23 06:23:21 rdn slapd[44326]: connection_get(10): got connid=1006
Oct 23 06:23:21 rdn slapd[44326]: connection_read(10): checking for input on
id=1006
Oct 23 06:23:21 rdn slapd[44326]: op tag 0x60, time 1350973401
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 do_bind
Oct 23 06:23:21 rdn slapd[44326]: >>> dnPrettyNormal:
<cn=ldapadm,o=company>
Oct 23 06:23:21 rdn slapd[44326]: <<< dnPrettyNormal:
<cn=ldapadm,o=company>,
<cn=ldapadm,o=company>
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,o=company"
method=128
Oct 23 06:23:21 rdn slapd[44326]: do_bind: version=3 dn="cn=ldapadm,o=company"
method=128
Oct 23 06:23:21 rdn slapd[44326]: conn=1006 op=0 BIND dn="cn=ldapadm,

Message of length 13710 truncated

Followup 1

Download message
Date: Tue, 23 Oct 2012 06:10:48 -0700
From: Howard Chu <hyc@symas.com>
To: kmenshikov@hostcomm.ru
CC: openldap-its@openldap.org
Subject: Re: (ITS#7420) Way to bypass overlay unique and constranit
kmenshikov@hostcomm.ru wrote:
> Full_Name: Konstantin Menshikov
> Version: 2.4.33
> OS: FreeBSD 8.2-RELEASE-p4
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (212.116.101.94)
>
>
> Overlay unique and constraint use list attributes for check.
> If we use restriction by rdn (attribute cn for example), and don`t add
attribute
> cn in ldif-file, we can bypass restriction.
>
> Overlay unique look list attributes in op->ora_e->e_attrs,
> if this list not contain attribute cn, checks isn`t running.
>
> IMHO: problem not in overlays, but in slapd code, that allow add object
without
> explicit set rdn.

The slapd behavior was discussed long ago, in ITS#2243. The current slapd 
behavior is consistent with RFC4511 (though this differs from older releases 
and the now obsoleted RFC2251). It seems that because of this behavior, the 
fix will have to be made to each overlay accordingly. It would be nice if we 
had a more centralized approach though.

>
> Example configuration:
> [root@rdn.problem openldap]# cat slapd.conf
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include         /usr/local/etc/openldap/schema/core.schema
> include         /usr/local/etc/openldap/schema/corba.schema
> include         /usr/local/etc/openldap/schema/cosine.schema
> include         /usr/local/etc/openldap/schema/dyngroup.schema
> include         /usr/local/etc/openldap/schema/inetorgperson.schema
> include         /usr/local/etc/openldap/schema/java.schema
> include         /usr/local/etc/openldap/schema/misc.schema
> include         /usr/local/etc/openldap/schema/nis.schema
> include         /usr/local/etc/openldap/schema/openldap.schema
> include         /usr/local/etc/openldap/schema/ppolicy.schema
> include         /usr/local/etc/openldap/schema/sudo.schema
> include         /usr/local/etc/openldap/schema/samba.schema
> include         /usr/local/etc/openldap/schema/spamassassin.schema
> include         /usr/local/etc/openldap/schema/openssh-lpk.schema
> include         /usr/local/etc/openldap/schema/vega-base.schema
> include         /usr/local/etc/openldap/schema/vega-corp.schema
> include         /usr/local/etc/openldap/schema/vega-net.schema
> include         /usr/local/etc/openldap/schema/oversun-base.schema
> include         /usr/local/etc/openldap/schema/oversun-corp.schema
> include         /usr/local/etc/openldap/schema/oversun-mail.schema
> include         /usr/local/etc/openldap/schema/oversun-net.schema
> include         /usr/local/etc/openldap/schema/asterisk.schema
>
>
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral       ldap://root.openldap.org
>
> pidfile         /var/run/openldap/slapd.pid
> argsfile        /var/run/openldap/slapd.args
> loglevel        config stats sync trace
>
> # Load dynamic backend modules:
> modulepath      /usr/local/libexec/openldap
> moduleload      back_hdb
>
> database        hdb
> suffix          "o=company"
> rootdn          "cn=ldapadm,o=company"
> rootpw          password
> directory       /var/db/openldap-data/o=company
>
> overlay unique
> unique_uri 	ldap:///ou=groups,o=company?cn?sub
>
> How to repeat:
>
> [root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
> ldap://127.0.0.5:389 -f /root/add.ldif.false
> adding new entry "cn=test,ou=system,ou=groups,o=company"
> ldap_add: Constraint violation (19)
> 	additional info: some attributes not unique
>
> [root@rdn.problem openldap]# cat /root/add.ldif.false
> dn: cn=test,ou=system,ou=groups,o=company
> changetype: add
> objectClass: posixGroup
> description: test
> cn: test
> gidNumber: 1000
> [root@rdn.problem openldap]# ldapadd -D cn=ldapadm,o=company -wpassword -H
> ldap://127.0.0.5:389 -f /root/add.ldif.true
> adding new entry "cn=test,ou=system,ou=groups,o=company"
>
> [root@rdn.problem openldap]# cat /root/add.ldif.true
> dn: cn=test,ou=system,ou=groups,o=company
> changetype: add
> objectClass: posixGroup
> description: test
> gidNumber: 1000
> [root@rdn.problem openldap]# diff -U 3 /root/add.ldif.false
/root/add.ldif.true
>
> --- /root/add.ldif.false	2012-10-23 06:22:16.000000000 +0000
> +++ /root/add.ldif.true	2012-10-23 06:22:25.000000000 +0000
> @@ -2,5 +2,4 @@
>   changetype: add
>   objectClass: posixGroup
>   description: test
> -cn: test
>   gidNumber: 1000
>
>
> Log file records:
>
> Oct 23 06:23:21 rdn slapd[44326]: slap_listener_activate(6):
> Oct 23 06:23:21 rdn slapd[44326]: >>> slap_listener(ldap://)
> Oct 23 06:23:21 rdn slapd[4

Message of length 15461 truncated

Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org