#110 RFE: limiting Directory Manager (nsslapd-rootdn) bind access by source host (e.g. 127.0.0.1)

Created 5 years ago by mkosek
Modified 3 months ago

https://bugzilla.redhat.com/show_bug.cgi?id=458187

Description of problem:

The Directory Manager account (the one whose DN is specified in dse.ldif as
nsslapd-rootdn) is a dangerously privileged account.

Access control does not apply to this user and compromising its DN and password
gives full control over the directory server.

Therefore, it would be desirable to limit this user's bind access based on some
additional criteria, in addition to the knowledge of the password.

Limits based on the source host (e.g. localhost) and/or time of day (e.g. only
work hours) would be very useful.

Currently an attacker can easily mount a brute force guessing attack on the
Directory Manager account over the network and if he succeeds, he practically
has full control over the directory server. The only defense against this is by
using a very long manager password and hard to guess rootdn which may be
somewhat unpractical.

This problem is especially significant for LDAP servers accessible from public
networks.

Additional info:

Note that in OpenLDAP this is possible using the following ACL:

access to dn.base="cn=Manager,o=Example"
 by peername.regex=127\.0\.0\.1 auth
 by users none
 by anonymous none


This ACL however requires creating a concrete LDAP entry that corresponds to
rootdn, setting a userPassword in taht entry, and leaving the rootpw in
OpenLDAP configuration undefined. This way the concrete userPassword is used
when binding and is subject to that ACL which only allows access from
connections that origin from 127.0.0.1.

More details:
http://www.openldap.org/faq/data/cache/761.html
http://www.openldap.org/lists/openldap-software/200711/msg00342.html

batch update to FUTURE milestone

Created a new plugin to handle root DN access:

dn: cn=RootDN Access Control,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: RootDN Access Control
nsslapd-pluginpath: librootdn-access-plugin.so
nsslapd-plugininitfunc: rootdn_init
nsslapd-plugintype: rootdnpreoperation
nsslapd-pluginenabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginid: rootdn-access-control
rootdn-open-time: 0800
rootdn-close-time: 1700
rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri
rootdn-allow-host: *.redhat.com
rootdn-allow-host: *.fedora.com
rootdn-deny-host: dangerous.boracle.com
rootdn-allow-ip: 127.0.0.1
rootdn-allow-ip: 2000:db8:de30::11
rootdn-deny-ip: 192.168.1.*

Deny rules always override allow rules, sending out for review...

Was it necessary to invent a new type of plugin? Could this be done in a regular bind preop plugin?

Actually I originally had it as an internalpreoperation plugin, but then I thought having a new plugin type would be faster, less plugins to loop through, and it would allow for future enhancements around rootdn specific tasks.

I would prefer not to have another plugin type. Yes, it would have to be both an internalpreoperation and a preoperation BIND plugin. If there is some performance problem with looping through plugins then 1) you could make the rootdn plugin have the highest precedence so that it is called first and can abort the operation before other plugins are run 2) we should improve the plugin performance so this isn't a bottleneck.

There was not a performance problem, I was just trying to make it as efficient as possible since rootdn is used a lot.

I'll change it back to an internalpreoperation/prebind plugin. I was just thinking if we had a new plugin type, it would open up future options of things that we could do specific to root dn's.

I would rather not have a plugin type that is specific to rootdns. Instead, I would rather extend our current ACI/ACL model to include the rootdn and BIND operations. But I think for now, a special purpose preoperation/internalpreoperation BIND plugin should suffice.

git merge ticket110
Updating c3dc979. c61ee8e
Fast-forward
Makefile.am | 13 +-
Makefile.in | 50 ++-
ldap/ldif/template-dse.ldif.in | 11 +
ldap/servers/plugins/rootdn_access/rootdn_access.c | 663 ++++++++++++++++++++
ldap/servers/plugins/rootdn_access/rootdn_access.h | 57 ++
ldap/servers/slapd/bind.c | 34 +-
ldap/servers/slapd/pblock.c | 14 +
ldap/servers/slapd/plugin.c | 11 +-
ldap/servers/slapd/slap.h | 2 +
ldap/servers/slapd/slapi-plugin.h | 3 +
10 files changed, 846 insertions(+), 12 deletions(-)
create mode 100644 ldap/servers/plugins/rootdn_access/rootdn_access.c
create mode 100644 ldap/servers/plugins/rootdn_access/rootdn_access.h

[mareynol @localhost servers]$ git push origin master
Counting objects: 32, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (18/18), done.
Writing objects: 100% (18/18), 9.66 KiB, done.
Total 18 (delta 13), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
c3dc979. c61ee8e master -> master

1.2.11 branch changeset 8f17da5/389-ds-base

Added initial screened field value.

3 months ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.2.11.5

Login to comment on this ticket.

ack

Security - Access Control (ACL)

defect

cancel