[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Root for dc style naming

At 10:12 AM 1/15/00 +1100, David J N Begley wrote:
>On Fri, 14 Jan 2000, Kurt D. Zeilenga wrote:
>> At 11:15 PM 1/14/00 +1100, David J N Begley wrote:
>> >Further, I'd be wary of allowing the "well known aliases" approach as it could
>> >lead to the same problem that happened when Squid used to (by default,
>> >regardless what the config said) automatically "announce" every proxy to a
>> >central source (lots of proxies were being used as peers without their
>> >permission, before the respective admins worked their way up the learning
>> >curve to apply ACLs).
>> Did Squid modify DNS records automatically?  I think this be a different
>> issue.
>No it didn't, but the end result was the same. 

No. These issues are complete differnet.  Protection of a local
service, be it squid or slapd and use of published information.
If you bring up a local service, you need to take appropriate steps
to protect it.

In this case, the latter is the issue.  If you publish www.openldap.org,
then you shouldn't be surprised to get HHTP connnections to whatever
host www.openldap.org refers to.  If you publish ldap.openldap.org,
then you shouldn't be surprised to get LDAP connections...

Where the former is:  If you put a host on the Internet, you
shouldn't be surpised if it's accessed by others.

> First, let me make clear that
>I'm voicing a valid security concern,

Though I agree that one must take appropriate steps to protect
directories adequately for the environment they operate in, I
do not agree that applications should not safely (from the
application perspective) use published information.  If you
make information public, then it will be used.  Security by
obsurity is no security, security by "we didn't mean for it
to be used that way" is no security.

>but have not yet convinced myself one
>way or t'other as to whether or not the concern is worth the bother.

>That's why I raise the issue here (as caution, more than anything

I think this caution is belongs more in the admin guides of various
LDAP servers...

>Anyone setting up an unprotected LDAP directory has already opened
>that service up to the Internet;  however, few people scan the DNS or
>port-scan IP networks looking for LDAP servers specifically - but a referral
>backend such as suggested would make it sufficiently "easy" for more people to
>do this.

The methods for discovering LDAP services is well documented
(hopefully soon an RFC).   Use of such methods is quite common.

One can only assume that information published by local
administrators was meant to be used.  Though I don't recommend
security by obsucurity, those wishing to keep their services
obsure should not publish information of how to locate such
said services.

>Ack - but how many people go 'round scanning DNS zones specifically for the
>"ldap.<domain>" host?

Any and all who want to locate <domain>'s LDAP service....
How many people go 'round scanning DNS zones specifically for
"www.<domain>" host?

>As with the Squid problem, it can be done anyway but
>"the problem" wasn't a problem as such until something made it easier for more
>people to exploit it.

I disagree.  The problem was always there, just not often exploited.

>> A root would provide referrals to any and all which have SRV or well known
>> aliases established in their DNS zones.
>The assumption you've made is that the presence of these records is an
>automatic invitation to the entire Internet;  this is the point that I think I
>can't quite get 'round just yet.

If you don't want to invite the entire Internet, don't advertise records
specifically designed to allow the Internet to locate said service.  SRV
and well known aliases are well established means of advertising services
to the entire Internet.  (This is why they are called "well known
aliases" and "service records").

>> Well, if directory intend to have SRV or well known aliases established
>> then they should adhere to established practices.  Both practices are in
>> use and are in the process of being documented.  Those operating
>> directories on the Internet are presumed to be aware of these practices.  
>> If not, well, they'll get some curious log messages...
>Are you suggesting that the referral would include URLs to both naming styles?

No.  I am saying that the "root" server may return a referral to
a server which doesn't actually hold the desired DN.  The client
may get a noSuchObject or a referral when chasing a referral
returned by the "root" server.

Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>