Sebastian Stark from Directory Applications for Advanced Security and
Information Management (http://www.daasi.de) has found a serious issue
with login_ldap, affecting all versions. login_ldap is a BSD
Authentication module for authenticating users off an LDAP server, and
runs on OpenBSD and BSD/OS. It is third party software, and is not
part of OpenBSD or BSD/OS.

From http://www.openldap.org/doc/admin/security.html

"An unauthenticated bind results in an anonymous authorization.
Unauthenticated bind mechanism is disabled by default, but can
be enabled by specifying "allow bind_anon_cred" in slapd.conf(5).
As a number of LDAP applications mistakenly generate
unauthenticated bind request when authenticated access was
intended (that is, they do not ensure a password was provided),
this mechanism should generally not be enabled."

In OpenLDAP 2.0.x, the following operations lead to an anonymous bind
by default:

 - BIND with DN set but no password provided (bind_anon_dn)
 - BIND with no DN but a password was provided (bind_anon_cred)
 - BIND with no DN and no password (bind_anon)

You can disable any of those BIND methods by putting 'disallow
<feature>' into your slapd.conf where <feature> stands for the
corresponding keyword given in parentheses above.

In OpenLDAP 2.1.x all but bind_anon are disabled by default. For an
authentication service this is probably what most people want.

login_ldap has been updated to check that a password has been provided.

It is available here: http://www.ifost.org.au/~peterw/login_ldap-3.3.tar.gz
MD5 (login_ldap-3.3.tar.gz) = 52e905d54a136c3d850158f4f7548a3f

The other main change is it no longer installed setuid root, please see the
README included for more information.

I would encourage other people writing LDAP applications to check their
software for this issue. Many thanks to Sebastian for his help with this
issue, work on a suitable fix and this advisory.

Peter Werner
Feb 21, 2003

--
IFOST: http://www.ifost.org.au

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]