Ticket #110 (closed defect: fixed)

Opened 2 years ago

Last modified 22 months ago

RFE: limiting Directory Manager (nsslapd-rootdn) bind access by source host (e.g. 127.0.0.1)

Reported by: mkosek Owned by: mreynolds
Priority: major Milestone: 1.2.11.5
Component: Security - Access Control (ACL) Version:
Keywords: Cc: rmeggins
Blocked By: Blocking:
Review: ack Ticket origin:
Red Hat Bugzilla: 458187, 834052

Description

https://bugzilla.redhat.com/show_bug.cgi?id=458187

Description of problem:

The Directory Manager account (the one whose DN is specified in dse.ldif as
nsslapd-rootdn) is a dangerously privileged account.

Access control does not apply to this user and compromising its DN and password
gives full control over the directory server.

Therefore, it would be desirable to limit this user's bind access based on some
additional criteria, in addition to the knowledge of the password.

Limits based on the source host (e.g. localhost) and/or time of day (e.g. only
work hours) would be very useful.

Currently an attacker can easily mount a brute force guessing attack on the
Directory Manager account over the network and if he succeeds, he practically
has full control over the directory server. The only defense against this is by
using a very long manager password and hard to guess rootdn which may be
somewhat unpractical.

This problem is especially significant for LDAP servers accessible from public
networks.

Additional info:

Note that in OpenLDAP this is possible using the following ACL:

access to dn.base="cn=Manager,o=Example"
 by peername.regex=127\.0\.0\.1 auth
 by users none
 by anonymous none


This ACL however requires creating a concrete LDAP entry that corresponds to
rootdn, setting a userPassword in taht entry, and leaving the rootpw in
OpenLDAP configuration undefined. This way the concrete userPassword is used
when binding and is subject to that ACL which only allows access from
connections that origin from 127.0.0.1.

More details:
http://www.openldap.org/faq/data/cache/761.html
http://www.openldap.org/lists/openldap-software/200711/msg00342.html

Attachments

0001-Ticket-110-RFE-limiting-root-DN-by-host-IP-time-of-d.patch (54.6 KB) - added by mreynolds 2 years ago.

Change History

comment:1 Changed 2 years ago by rmeggins

  • Milestone changed from NEEDS_TRIAGE to FUTURE

batch update to FUTURE milestone

comment:2 Changed 2 years ago by rmeggins

  • Owner rmeggins deleted

comment:3 Changed 2 years ago by nkinder

  • Milestone changed from FUTURE to 1.3.0.rc1

comment:4 Changed 2 years ago by rmeggins

  • Milestone changed from 1.3.0.rc1 to 1.2.11

comment:5 Changed 2 years ago by mreynolds

  • Status changed from new to assigned
  • Owner set to mreynolds

comment:6 Changed 2 years ago by mreynolds

  • Review changed from Needs Review to review?

Created a new plugin to handle root DN access:

dn: cn=RootDN Access Control,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginpath: librootdn-access-plugin.so
nsslapd-plugininitfunc: rootdn_init
nsslapd-plugintype: rootdnpreoperation
nsslapd-pluginenabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginid: rootdn-access-control
rootdn-open-time: 0800
rootdn-close-time: 1700
rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri
rootdn-allow-host: *.redhat.com
rootdn-allow-host: *.fedora.com
rootdn-deny-host: dangerous.boracle.com
rootdn-allow-ip: 127.0.0.1
rootdn-allow-ip: 2000:db8:de30::11
rootdn-deny-ip: 192.168.1.*

Deny rules always override allow rules, sending out for review...

comment:7 Changed 2 years ago by rmeggins

Was it necessary to invent a new type of plugin? Could this be done in a regular bind preop plugin?

comment:8 Changed 2 years ago by rmeggins

  • Cc rmeggins added

comment:9 Changed 2 years ago by mreynolds

Actually I originally had it as an internalpreoperation plugin, but then I thought having a new plugin type would be faster, less plugins to loop through, and it would allow for future enhancements around rootdn specific tasks.

comment:10 Changed 2 years ago by rmeggins

I would prefer not to have another plugin type. Yes, it would have to be both an internalpreoperation and a preoperation BIND plugin. If there is some performance problem with looping through plugins then 1) you could make the rootdn plugin have the highest precedence so that it is called first and can abort the operation before other plugins are run 2) we should improve the plugin performance so this isn't a bottleneck.

comment:11 Changed 2 years ago by mreynolds

There was not a performance problem, I was just trying to make it as efficient as possible since rootdn is used a lot.

I'll change it back to an internalpreoperation/prebind plugin. I was just thinking if we had a new plugin type, it would open up future options of things that we could do specific to root dn's.

comment:12 Changed 2 years ago by rmeggins

I would rather not have a plugin type that is specific to rootdns. Instead, I would rather extend our current ACI/ACL model to include the rootdn and BIND operations. But I think for now, a special purpose preoperation/internalpreoperation BIND plugin should suffice.

comment:13 Changed 2 years ago by rmeggins

  • Review changed from review? to ack

comment:14 Changed 2 years ago by mreynolds

  • Resolution set to fixed
  • Status changed from assigned to closed

git merge ticket110

Updating c3dc979..c61ee8e
Fast-forward

Makefile.am | 13 +-
Makefile.in | 50 ++-
ldap/ldif/template-dse.ldif.in | 11 +
ldap/servers/plugins/rootdn_access/rootdn_access.c | 663 ++++++++++++++++++++
ldap/servers/plugins/rootdn_access/rootdn_access.h | 57 ++
ldap/servers/slapd/bind.c | 34 +-
ldap/servers/slapd/pblock.c | 14 +
ldap/servers/slapd/plugin.c | 11 +-
ldap/servers/slapd/slap.h | 2 +
ldap/servers/slapd/slapi-plugin.h | 3 +
10 files changed, 846 insertions(+), 12 deletions(-)
create mode 100644 ldap/servers/plugins/rootdn_access/rootdn_access.c
create mode 100644 ldap/servers/plugins/rootdn_access/rootdn_access.h

[mareynol@localhost servers]$ git push origin master
Counting objects: 32, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (18/18), done.
Writing objects: 100% (18/18), 9.66 KiB, done.
Total 18 (delta 13), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git

c3dc979..c61ee8e master -> master

comment:15 Changed 2 years ago by rmeggins

  • Milestone changed from 1.2.11 to 1.2.11.5

comment:16 Changed 23 months ago by rmeggins

comment:17 Changed 22 months ago by nkinder

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=458187 458187] to [https://bugzilla.redhat.com/show_bug.cgi?id=458187 458187], [https://bugzilla.redhat.com/show_bug.cgi?id=834052 834052]

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=834052

comment:18 Changed 20 months ago by nkinder

  • screened set to 1

Added initial screened field value.

Note: See TracTickets for help on using tickets.