OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/6661
Full headers

From: gtzanetis@pylones.gr
Subject: rootpw is not verified with slapd.conf
 Compose comment
Download message
State:
0 replies:
5 followups: 1 2 3 4 5

Major security issue: yes  no

Notes:

Notification: 


Date: Wed, 29 Sep 2010 14:00:11 +0000
From: gtzanetis@pylones.gr
To: openldap-its@OpenLDAP.org
Subject: rootpw is not verified with slapd.conf

Full_Name: George Tzanetis
Version: 2.4.23 stable
OS: Red Hat Enterprise 5.5
URL: 
Submission from: (NULL) (62.169.213.126)


I have built openldap 2.4.23 with the back-ndb in 4 machines.

I created the slapd.conf as follows:

pidfile         /usr/local/openldap/var/run/slapd.pid
argsfile        /usr/local/openldap/var/run/slapd.args

#######################################################################
# NDB database definitions
#######################################################################
#NDB database defintions
database ndb
suffix "dc=example,dc=gr"
rootdn "cn=root,dc=example,dc=gr"
rootpw secret
dbconnect 192.168.6.11
dbhost 192.168.6.12
dbport 3306
dbname openldap
dbuser ldapUser
dbpass "1234"
dbconnections 3
dbsocket /tmp/mysql.sock

attrblob description
index uid

#######################################################################
# Monitor Database definitions
#######################################################################
database monitor

loglevel 5

My problem is that I can authenticate to the ldap with any password for the
cn=root,dc=example,dc=gr (rootdn) user, as long as I specify a password.

To make it clearer, all the following ldapsearches work:

ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w secret1 -D
"cn=root,dc=example,dc=gr"

ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w secret -D
"cn=root,dc=example,dc=gr"

ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w sec -D
"cn=root,dc=example,dc=gr"

ldapsearch -h 192.168.6.10 -b 'dc=example,dc=gr' -w " " -D
"cn=root,dc=example,dc=gr"

If I do not specify a password, (i.e. -w flag is omitted) I get the message:
ldap_bind: Server is unwilling to perform (53)
        additional info: unauthenticated bind (DN with no password) disallowed

In addition if I don input the correct rootdn user, I get the message:
ldap_bind: Invalid credentials (49).

This behavior exists in all instances of openldap with ndb as back-end.

I did some more testing, and I built openldap with the bdb and ndb backends. The
issue appears only to the suffix that is stored in the ndb back-end and not to
the bdb back-end, so there must be something wrong with the bind operation of
the slapd-ndb.

Finally, I would like to state that with the slapd-ndb, all the ldapsearches /
modifications / deletions are performed correctly, even if the rootpw password
is wrong.

Followup 1

Download message
Date: Wed, 29 Sep 2010 16:37:20 +0200
From: Pierangelo Masarati <masarati@aero.polimi.it>
To: gtzanetis@pylones.gr, openldap-its@openldap.org
Subject: ITS#6661

Please try back-ndb/bind.cpp 1.5->1.6 from HEAD's CVS.

Thanks for the report.  p.

Followup 2

Download message
From: George Tzanetis <gtzanetis@pylones.gr>
To: "openldap-its@openldap.org" <openldap-its@openldap.org>
Subject: (ITS#6661)
Date: Thu, 30 Sep 2010 07:37:12 +0000

Hi,

I built openldap using the new code. The rootpw now works, but if a wrong p=
assword in an ldap query, then the ldap query process locks.

e.g.:
with rootdn: 'cn=3Droot,dc=3Dexample,dc=3Dgr'
and rootpw: secret

-when rootdn and rootpw are correct:
ldapwhoami -h 192.168.6.10 -D 'cn=3Droot,dc=3Dexample,dc=3Dgr' -w 'secret'
>dn:cn=3Droot,dc=3Dexample,dc=3Dgr

-when rootdn  is wrong:
Ldapwhoami -h 192.168.6.10 -D 'cn=3Droot,dc=3Dexample,dc=3Dcom' -w 'secret'
>ldap_bind: Invalid credentials (49)

-when rootdn is correct and rootpw is wrong
Ldapwhoami -h 192.168.6.10 -D 'cn=3Droot,dc=3Dexample,dc=3Dcom' -w 'secret1=
'
	"NO RESULT, the ldapwhoami locks"


Here are the logs of the slapd process:


###################################
#with correct rootdn & rootpw     #
###################################
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(8):
daemon: epoll: listen=3D7 active_threads=3D0 tvp=3DNULL
daemon: epoll: listen=3D8 busy
>>> slap_listener(ldap:///)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=3D7 active_threads=3D0 tvp=3DNULL
daemon: epoll: listen=3D8 active_threads=3D0 tvp=3DNULL
daemon: listen=3D8, new connection on 23
daemon: activity on 1 descriptor
daemon: activity on: 23r
daemon: read active on 23
daemon: added 23r (active) listener=3D(nil)
daemon: epoll: listen=3D7 active_threads=3D0 tvp=3DNULL
daemon: epoll: listen=3D8 active_threads=3D0 tvp=3DNULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=3D7 active_threads=3D0 tvp=3DNULL
daemon: epoll: listen=3D8 active_threads=3D0 tvp=3DNULL
conn=3D1000 fd=3D23 ACCEPT from IP=3D192.168.6.10:47722 (IP=3D0.0.0.0:389)
connection_get(23)
connection_get(23): got connid=3D1000
connection_read(23): checking for input on id=3D1000
ber_get_next
ldap_read: want=3D8, got=3D8
ldap_read: want=3D36, got=3D36
ber_get_next: tag 0x30 len 42 contents:
ber_dump: buf=3D0x1d047ee0 ptr=3D0x1d047ee0 end=3D0x1d047f0a len=3D42
op tag 0x60, time 1285831215
ber_get_next
ldap_read: want=3D8 error=3DResource temporarily unavailable
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=3D7 active_threads=3D0 tvp=3DNULL
daemon: epoll: listen=3D8 active_threads=3D0 tvp=3DNULL
conn=3D1000 op=3D0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=3D0x1d047ee0 ptr=3D0x1d047ee3 end=3D0x1d047f0a len=3D39
ber_scanf fmt (m}) ber:
ber_dump: buf=3D0x1d047ee0 ptr=3D0x1d047f01 end=3D0x1d047f0a len=3D9
>>> dnPrettyNormal: <cn=3Droot,dc=3Dexample,dc=3Dgr>
=3D> ldap_bv2dn(cn=3Droot,dc=3Dexample,dc=3Dgr,0)
<=3D ldap_bv2dn(cn=3Droot,dc=3Dexample,dc=3Dgr)=3D0
=3D> ldap_dn2bv(272)
<=3D ldap_dn2bv(cn=3Droot,dc=3Dexample,dc=3Dgr)=3D0
=3D> ldap_dn2bv(272)
<=3D ldap_dn2bv(cn=3Droot,dc=3Dexample,dc=3Dgr)=3D0
<<< dnPrettyNormal: <cn=3Droot,dc=3Dexample,dc=3Dgr>,
<cn=3Droot,dc=3Dexamp=
le,dc=3Dgr>
conn=3D1000 op=3D0 BIND dn=3D"cn=3Droot,dc=3Dexample,dc=3Dgr" method=3D128
do_bind: version=3D3 dn=3D"cn=3Droot,dc=3Dexample,dc=3Dgr" method=3D128
=3D=3D> ndb_back_bind: dn: cn=3Droot,dc=3Dexample,dc=3Dgr
conn=3D1000 op=3D0 BIND dn=3D"cn=3Droot,dc=3Dexample,dc=3Dgr" mech=3DSIMPLE=
 ssf=3D0
do_bind: v3 bind: "cn=3Droot,dc=3Dexample,dc=3Dgr" to "cn=3Droot,dc=3Dexamp=
le,dc=3Dgr"
send_ldap_result: conn=3D1000 op=3D0 p=3D3
send_ldap_result: err=3D0 matched=3D"" text=3D""
send_ldap_response: msgid=3D1 tag=3D97 err=3D0
ber_flush2: 14 bytes to sd 23
ldap_write: want=3D14, written=3D14
conn=3D1000 op=3D0 RESULT tag=3D97 err=3D0 text=3D
daemon: activity on 1 descriptor
daemon: activity on: 23r
daemon: read active on 23
daemon: epoll: listen=3D7 active_threads=3D0 tvp=3DNULL
daemon: epoll: listen=3D8 active_threads=3D0 tvp=3DNULL
connection_get(23)
connection_get(23): got connid=3D1000
connection_read(23): checking for input on id=3D1000
ber_get_next
ldap_read: want=3D8, got=3D8
ldap_read: want=3D24, got=3D24
ber_get_next: tag 0x30 len 30 contents:
ber_dump: buf=3D0x1d045c10 ptr=3D0x1d045c10 end=3D0x1d045c2e len=3D30
op tag 0x77, time 1285831215
ber_get_next
ldap_read: want=3D8 error=3DResource temporarily unavailable
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=3D7 active_threads=3D0 tvp=3DNULL
daemon: epoll: listen=3D8 active_threads=3D0 tvp=3DNULL
conn=3D1000 op=3D1 do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=3D0x1d045c10 ptr=3D0x1d045c13 end=3D0x1d045c2e len=3D27
conn=3D1000 op=3D1 EXT oid=3D1.3.6.1.4.1.4203.1.11.3
do_extended: oid=3D1.3.6.1.4.1.4203.1.11.3
conn=3D1000 op=3D1 WHOAMI
send_ldap_extended: err=3D0 oid=3D len=3D26
send_ldap_response: msgid=3D2 tag=3D120 err=3D0
ber_flush2: 42 bytes to sd 23
ldap_write: want=3D42, written=3D42
conn=3D1000 op=3D1 RESULT oid=3D err=3D0 text=3D
daemon: activity on 1 descriptor
daemon: activity on: 23r
daemon: read active on 23
daemon: epoll: listen=3D7 active_threads=3D0 tvp=3DNULL
daemon: epoll: listen=3D8 active_threads=3D0 tvp=3DNULL
connection_get(2

Message of length 8043 truncated

Followup 3

Download message
Date: Thu, 30 Sep 2010 13:04:08 +0200 (CEST)
Subject: ITS#6661 (Was: FW: (6661))
From: masarati@aero.polimi.it
To: "George Tzanetis" <gtzanetis@pylones.gr>
Cc: openldap-its@openldap.org

> Hi Pierangelo,
>
> I replied to the ticket's list but I forgot to include your address.
>
> Here is my reply if you care to read it,
>
> Regards,
> .
> George
>
> .
>
> -----Original Message-----
> From: George Tzanetis
> Sent: Thursday, September 30, 2010 10:37 AM
> To: 'openldap-its@openldap.org'
> Subject: (ITS#6661)
>
> Hi,
>
> I built openldap using the new code. The rootpw now works, but if a wrong
> password in an ldap query, then the ldap query process locks.
>
> e.g.:
> with rootdn: 'cn=root,dc=example,dc=gr'
> and rootpw: secret
>
> -when rootdn and rootpw are correct:
> ldapwhoami -h 192.168.6.10 -D 'cn=root,dc=example,dc=gr' -w 'secret'
>>dn:cn=root,dc=example,dc=gr
>
> -when rootdn  is wrong:
> Ldapwhoami -h 192.168.6.10 -D 'cn=root,dc=example,dc=com' -w 'secret'
>>ldap_bind: Invalid credentials (49)
>
> -when rootdn is correct and rootpw is wrong
> Ldapwhoami -h 192.168.6.10 -D 'cn=root,dc=example,dc=com' -w 'secret1'
> 	"NO RESULT, the ldapwhoami locks"
>
>
> Here are the logs of the slapd process:
>
>
> ###################################
> #with correct rootdn & rootpw     #
> ###################################
> daemon: activity on 1 descriptor
> daemon: activity on:
> slap_listener_activate(8):
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 busy
>>>> slap_listener(ldap:///)
> daemon: activity on 1 descriptor
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 active_threads=0 tvp=NULL
> daemon: listen=8, new connection on 23
> daemon: activity on 1 descriptor
> daemon: activity on: 23r
> daemon: read active on 23
> daemon: added 23r (active) listener=(nil)
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptor
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 active_threads=0 tvp=NULL
> conn=1000 fd=23 ACCEPT from IP=192.168.6.10:47722 (IP=0.0.0.0:389)
> connection_get(23)
> connection_get(23): got connid=1000
> connection_read(23): checking for input on id=1000
> ber_get_next
> ldap_read: want=8, got=8
> ldap_read: want=36, got=36
> ber_get_next: tag 0x30 len 42 contents:
> ber_dump: buf=0x1d047ee0 ptr=0x1d047ee0 end=0x1d047f0a len=42
> op tag 0x60, time 1285831215
> ber_get_next
> ldap_read: want=8 error=Resource temporarily unavailable
> daemon: activity on 1 descriptor
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 active_threads=0 tvp=NULL
> conn=1000 op=0 do_bind
> ber_scanf fmt ({imt) ber:
> ber_dump: buf=0x1d047ee0 ptr=0x1d047ee3 end=0x1d047f0a len=39
> ber_scanf fmt (m}) ber:
> ber_dump: buf=0x1d047ee0 ptr=0x1d047f01 end=0x1d047f0a len=9
>>>> dnPrettyNormal: <cn=root,dc=example,dc=gr>
> => ldap_bv2dn(cn=root,dc=example,dc=gr,0)
> <= ldap_bv2dn(cn=root,dc=example,dc=gr)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(cn=root,dc=example,dc=gr)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(cn=root,dc=example,dc=gr)=0
> <<< dnPrettyNormal: <cn=root,dc=example,dc=gr>,
<cn=root,dc=example,dc=gr>
> conn=1000 op=0 BIND dn="cn=root,dc=example,dc=gr" method=128
> do_bind: version=3 dn="cn=root,dc=example,dc=gr" method=128
> ==> ndb_back_bind: dn: cn=root,dc=example,dc=gr
> conn=1000 op=0 BIND dn="cn=root,dc=example,dc=gr" mech=SIMPLE ssf=0
> do_bind: v3 bind: "cn=root,dc=example,dc=gr" to "cn=root,dc=example,dc=gr"
> send_ldap_result: conn=1000 op=0 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_response: msgid=1 tag=97 err=0
> ber_flush2: 14 bytes to sd 23
> ldap_write: want=14, written=14
> conn=1000 op=0 RESULT tag=97 err=0 text=
> daemon: activity on 1 descriptor
> daemon: activity on: 23r
> daemon: read active on 23
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 active_threads=0 tvp=NULL
> connection_get(23)
> connection_get(23): got connid=1000
> connection_read(23): checking for input on id=1000
> ber_get_next
> ldap_read: want=8, got=8
> ldap_read: want=24, got=24
> ber_get_next: tag 0x30 len 30 contents:
> ber_dump: buf=0x1d045c10 ptr=0x1d045c10 end=0x1d045c2e len=30
> op tag 0x77, time 1285831215
> ber_get_next
> ldap_read: want=8 error=Resource temporarily unavailable
> daemon: activity on 1 descriptor
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 active_threads=0 tvp=NULL
> conn=1000 op=1 do_extended
> ber_scanf fmt ({m) ber:
> ber_dump: buf=0x1d045c10 ptr=0x1d045c13 end=

Message of length 8776 truncated

Followup 4

Download message
From: George Tzanetis <gtzanetis@pylones.gr>
To: "masarati@aero.polimi.it" <masarati@aero.polimi.it>
CC: "openldap-its@openldap.org" <openldap-its@openldap.org>
Subject: RE: ITS#6661 (Was: FW: (6661))
Date: Thu, 30 Sep 2010 11:49:49 +0000

Yes it is fixed,

But in your fix, only the rootpw password works. If we have the rootdn also=
 as a dn stored inside the ldap tree then openldap does not tries to bind t=
o the dn of the tree if the rootpw is incorrect

if we use the same code segment of bind.cpp written for back-bdb which is:

	/* allow noauth binds */
	switch ( be_rootdn_bind( op, NULL ) ) {
	case LDAP_SUCCESS:
		/* frontend will send result */
		return rs->sr_err;
	default:
		break;
	}
And the rootpw is not matched, then slapd will continue to search the ldap =
tree and if it finds a dn and its userPassword matches, then it authenticat=
es. If an appropriate dn / password is not found in the tree, then it throu=
ghs the invalid credentials error.

Maybe the bind-dbd way is more correct?

Followup 5

Download message
Date: Thu, 30 Sep 2010 14:28:54 +0200 (CEST)
Subject: RE: ITS#6661 (Was: FW: (6661))
From: masarati@aero.polimi.it
To: "George Tzanetis" <gtzanetis@pylones.gr>
Cc: "openldap-its@openldap.org" <openldap-its@openldap.org>

Should be fine now.  The whole thing originated from the fact that
be_rootdn_bind() was passed a NULL SlapReply* without handling results
accordingly.  Thanks, p.

> Yes it is fixed,
>
> But in your fix, only the rootpw password works. If we have the rootdn
> also as a dn stored inside the ldap tree then openldap does not tries to
> bind to the dn of the tree if the rootpw is incorrect
>
> if we use the same code segment of bind.cpp written for back-bdb which is:
>
> 	/* allow noauth binds */
> 	switch ( be_rootdn_bind( op, NULL ) ) {
> 	case LDAP_SUCCESS:
> 		/* frontend will send result */
> 		return rs->sr_err;
> 	default:
> 		break;
> 	}
> And the rootpw is not matched, then slapd will continue to search the ldap
> tree and if it finds a dn and its userPassword matches, then it
> authenticates. If an appropriate dn / password is not found in the tree,
> then it throughs the invalid credentials error.
>
> Maybe the bind-dbd way is more correct?
>
>
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org