[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap, kerberos backend, and SASL

Da Rock wrote:
On Wed, 2009-03-04 at 18:20 -0800, Howard Chu wrote:
There is no hole in this wall. An LDAP server is designed to securely process
requests from multiple disparate clients. If your KDC and its host machine are
secure, and the ACLs in your slapd are correct, then the issue is closed. You
cannot bruteforce SASL/EXTERNAL over ldapi://. You can only fool it if you
already have superuser access on the host system, and in that case, you were
lost already anyway.

What about pretending to be a user with access to the socket (like ldap
or the kdc users)? First rule of sysadmin: don't leave open a door that
doesn't need to be open- even an internal one. But if you're talking
about only superuser access on the socket then you're doing this
anyway... :)

What about any client on The Internet with access to port 389 (or whatever TCP port the server is listening on)?? Access control on the socket is irrelevant. Set your ACLs so that only properly authenticated users can access their relevant information and then it doesn't matter what socket they came in on.

ldapi:// is not a superuser-only access mechanism, nor does it need to be.
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/