https://bugzilla.redhat.com/show_bug.cgi?id=458187
Description of problem: The Directory Manager account (the one whose DN is specified in dse.ldif as nsslapd-rootdn) is a dangerously privileged account. Access control does not apply to this user and compromising its DN and password gives full control over the directory server. Therefore, it would be desirable to limit this user's bind access based on some additional criteria, in addition to the knowledge of the password. Limits based on the source host (e.g. localhost) and/or time of day (e.g. only work hours) would be very useful. Currently an attacker can easily mount a brute force guessing attack on the Directory Manager account over the network and if he succeeds, he practically has full control over the directory server. The only defense against this is by using a very long manager password and hard to guess rootdn which may be somewhat unpractical. This problem is especially significant for LDAP servers accessible from public networks. Additional info: Note that in OpenLDAP this is possible using the following ACL: access to dn.base="cn=Manager,o=Example" by peername.regex=127\.0\.0\.1 auth by users none by anonymous none This ACL however requires creating a concrete LDAP entry that corresponds to rootdn, setting a userPassword in taht entry, and leaving the rootpw in OpenLDAP configuration undefined. This way the concrete userPassword is used when binding and is subject to that ACL which only allows access from connections that origin from 127.0.0.1. More details: http://www.openldap.org/faq/data/cache/761.html http://www.openldap.org/lists/openldap-software/200711/msg00342.html
batch update to FUTURE milestone
Created a new plugin to handle root DN access:
dn: cn=RootDN Access Control,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: RootDN Access Control nsslapd-pluginpath: librootdn-access-plugin.so nsslapd-plugininitfunc: rootdn_init nsslapd-plugintype: rootdnpreoperation nsslapd-pluginenabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginid: rootdn-access-control rootdn-open-time: 0800 rootdn-close-time: 1700 rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri rootdn-allow-host: *.redhat.com rootdn-allow-host: *.fedora.com rootdn-deny-host: dangerous.boracle.com rootdn-allow-ip: 127.0.0.1 rootdn-allow-ip: 2000:db8:de30::11 rootdn-deny-ip: 192.168.1.*
Deny rules always override allow rules, sending out for review...
Was it necessary to invent a new type of plugin? Could this be done in a regular bind preop plugin?
Actually I originally had it as an internalpreoperation plugin, but then I thought having a new plugin type would be faster, less plugins to loop through, and it would allow for future enhancements around rootdn specific tasks.
I would prefer not to have another plugin type. Yes, it would have to be both an internalpreoperation and a preoperation BIND plugin. If there is some performance problem with looping through plugins then 1) you could make the rootdn plugin have the highest precedence so that it is called first and can abort the operation before other plugins are run 2) we should improve the plugin performance so this isn't a bottleneck.
There was not a performance problem, I was just trying to make it as efficient as possible since rootdn is used a lot.
I'll change it back to an internalpreoperation/prebind plugin. I was just thinking if we had a new plugin type, it would open up future options of things that we could do specific to root dn's.
I would rather not have a plugin type that is specific to rootdns. Instead, I would rather extend our current ACI/ACL model to include the rootdn and BIND operations. But I think for now, a special purpose preoperation/internalpreoperation BIND plugin should suffice.
attachment 0001-Ticket-110-RFE-limiting-root-DN-by-host-IP-time-of-d.patch
git merge ticket110 Updating c3dc979..c61ee8e Fast-forward Makefile.am | 13 +- Makefile.in | 50 ++- ldap/ldif/template-dse.ldif.in | 11 + ldap/servers/plugins/rootdn_access/rootdn_access.c | 663 ++++++++++++++++++++ ldap/servers/plugins/rootdn_access/rootdn_access.h | 57 ++ ldap/servers/slapd/bind.c | 34 +- ldap/servers/slapd/pblock.c | 14 + ldap/servers/slapd/plugin.c | 11 +- ldap/servers/slapd/slap.h | 2 + ldap/servers/slapd/slapi-plugin.h | 3 + 10 files changed, 846 insertions(+), 12 deletions(-) create mode 100644 ldap/servers/plugins/rootdn_access/rootdn_access.c create mode 100644 ldap/servers/plugins/rootdn_access/rootdn_access.h
[mareynol@localhost servers]$ git push origin master Counting objects: 32, done. Delta compression using up to 4 threads. Compressing objects: 100% (18/18), done. Writing objects: 100% (18/18), 9.66 KiB, done. Total 18 (delta 13), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git c3dc979..c61ee8e master -> master
1.2.11 branch changeset:8f17da5/389-ds-base
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=834052
Added initial screened field value.
Metadata Update from @mreynolds: - Issue assigned to mreynolds - Issue set to the milestone: 1.2.11.5
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/110
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.