[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf Security Question

To: Kaya Saman <kayasaman@gmail.com>, openldap-technical@openldap.org
Subject: Re: ssf Security Question
From: William Brown <wibrown@redhat.com>
Date: Fri, 17 Nov 2017 12:53:01 +1000
In-reply-to: <55f77c41-37ac-f956-6771-ea08e1de2847@gmail.com>
References: <55f77c41-37ac-f956-6771-ea08e1de2847@gmail.com>

On Tue, 2017-11-14 at 20:56 +0000, Kaya Saman wrote:
> Hi,
> 
> 
> I am a little confused with this. Basically I have a client
> connecting 
> to the database, a DECT IP phone base station which doesn't support 
> STARTLS and my slapd config has settings for clients to use
> certificates 
> to connect.
> 
> 
> What would be the best way to set this up so that the DECT IP client 
> only accesses the particular place that it needs to, the AddressBook 
> section but then other clients will need to use STARTTLS for
> everything 
> else??
> 
> 
> Currently I am looking at:
> 
> https://www.openldap.org/doc/admin24/security.html
> 
> 
> https://www.openldap.org/doc/admin24/access-control.html
> 
> 
> and have currently put this in my slapd.conf:
> 
> 
> #Removed the Global? security clause
> 
> #security ssf=128
> 
> 
> #Added generic ACL for all access to require ssf of 128
> 
> access to *
>          by ssf=128 self write
>      by ssf=128 anonymous auth
>      by ssf=128 users read
> 
> 
> #Added ACL for open access to AddressBook in Read and Search only
> mode
> 
> access to dn.children="ou=AddressBook,dc=domain,dc=com"
>      by * search
>      by * read
> 
> 
> Is this correct or do I need to engage the "security" Global section
> too?
> 
> 
> Though the documentation suggests otherwise: "For fine-grained
> control, 
> SSFs may be used in access controls. See theAccess Control 
> <https://www.openldap.org/doc/admin24/access-control.html>section
> for 
> more information."
> 
> 

Hey mate,

Just want to point out there are some security risks with ssf settings.
I have documented these here:

https://fy.blackhats.net.au/blog/html/2016/11/23/the_minssf_trap.html

This is a flaw in the ldap protocol and can never be resolved without
breaking the standard. The issue is that by the time the ssf check is
done, you have already cleartexted sensitive material.

I would advise that you use LDAPS with TLS instead, or provide suitable
access control over your network segments to prevent these issues.
Relying on SSF can allow data leaks from misconfigured clients.

Hope that helps, 


-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane

Follow-Ups:
- Re: ssf Security Question
  - From: Michael Ströder <michael@stroeder.com>

References:
- ssf Security Question
  - From: Kaya Saman <kayasaman@gmail.com>

Prev by Date: Re: One account for modifying directory and wiki
Next by Date: Re: ssf Security Question
Index(es):
- Chronological
- Thread