Re: unauthenticated bind

Jim

>>> John McMeeking <jmcmeek@us.ibm.com> 11/12/03 8:51:21 AM >>>

In my limited experience with RFCs I haven't had to deal with requirements
like "MUST by default do ..." or "default configuration MUST do ...". My
first reaction is to read this as if the "default" wording was missing.
But upon further thought...

I have no problem with disallowing unauthenticated binds as proposed, or
even disallowing them completely.

John McMeeking

Chris Newman
< Chris.Newman@Sun.CO To: ietf-ldapbis@OpenLDAP.org
M> cc:
Sent by: Subject: unauthenticated bind
owner-ietf-ldapbis@O
penLDAP.org

11/11/2003 01:43 PM

LDAP is often used as the authentication store for other services (e.g.,
mail
services). These services use LDAP to validate passwords.

I have seen many cases where shipping software does a simple bind to test
if a
user's password is valid and due to unauthenticated bind, this will always
succeed with an empty password and allow an attacker to access every
account.

The example code in Tim Howe's book for exactly this purpose has exactly
this
bug, so we will never get rid of this security hole in LDAP by fixing the
client code because we'll always have new client code with this bug.

The only way to fix this LDAP security hole properly is to disallow
unauthenticated bind on the server (I have no problem with anonymous bind).

Currently, this text is buried in the security considerations section of
the
authmeth draft with a fairly weak "SHOULD".

The requirement should be in section 6.1 of authmeth and should be a "MUST
by
default reject authentication requests that have a DN with an empty
password".

- Chris