[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7045) "ldapsearch -Z" should continue using TLS one cert mis-match

On Sep 18, 2011, at 5:41 PM, Jason_Haar@trimble.com wrote:

> Full_Name: Jason Haar
> Version: 2.4.21
> OS: Fedora
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> As you know, LDAP passwords are sent in cleartext unless TLS or SASL are used.

Depending on TLS cipher suites and SASL mechnanism choice, of course.

And you shouldn't be using a cleartext mechanism unless you've first authenticated the server.

> However, "ldapsearch -Z" will fall-back onto cleartext if any form of TLS error
> occurs, even the non-fatal "TLS: hostname does not match CN in peer certificate"
> error.

Actually, ldapsearch(1) does not fall back into cleartext in this case.  The OpenLDAP library, and most servers, wisely don't support stop TLS.

What ldapsearch(1) does is, if told to check certs (the default) and they are bad, is to terminate the session and exit.
> i.e. TLS is attempted, the hostname doesn't match, so ldapsearch tries again not
> using TLS!

No it doesn't.

> This seems wasteful to me. It is still *more secure* to continue the encrypted
> TLS session than to fallback onto cleartext.

No, it's not.  If you continued to use TLS, there is no server authentication.  Use of cleartext mechanism to an unauthenticated server is quite insecure.

Now it might seem that if one said use simple bind w/ password and -Z, that it would be reasonable to assume the user didn't care about server authentication (or data integrity/confidential).   But -Z is designed less for use with simple bind w/ password but with SASL mechanisms.

Now, if you really want to do that, just tell ldapsearch(1) not to do cert checks.

> Web browsers are a good example of
> this: if you connect to a self-signed https site, you can choose to continue -
> as untrusted https is still secured against other attackers. 

And some browsers are stupid enough to do basic authentication without first authenticating the server.
> If a user wants to guarantee the trustworthiness of their ldapsearch session,
> they can use "-ZZ" to achieve that - but I can't see any reason to stop people
> using "-Z" if they want to?

Nothing stops those who don't want cert checks from disabling them.

> (I'm using ldapsearch to dump Active Directory LDAP data via the DNS round-robin
> entry for the domain name: as such the LDAP host *never* matches the hostname
> DNS round-robin gives back - and I don't care - I just don't want the network
> group sniffing my password ;-)

Then you likely should be doing -ZZ (because you care about eavesdropping) while disabling the cert checks (because you seem to not care that you might be sending your password to a man-in-the-middle).

-- Kurt