#49315 Add warning on startup if unauthenticated binds are enabled.
Opened 2 years ago by firstyear. Modified 2 months ago

Issue Description

If unauthenticated binds are enabled, we should warn about this in the log at start up.


Metadata Update from @firstyear:
- Custom field type adjusted to defect
- Issue tagged with: Easyfix

2 years ago

Metadata Update from @ilias95:
- Issue assigned to ilias95

2 years ago

Metadata Update from @ilias95:
- Custom field reviewstatus adjusted to review

2 years ago

I think we should improve the message, maybe "Unauthenticated binds are enabled - this is insecure".

Second, looking at this, I can see that you change from hard tab to spaces - perhaps your editor did this?

Anyway, I prefer 4 space, but please make sure that you apply it to the whole function (line 6516 through 6536 with the patch).

If you use vim, you can see this with:

set list listchars=tab:·\ ,trail:·,precedes:<,extends:>

About the message: as we discussed in the mail thread unauth binds will become anonymous and so no more info will be provided than by a direct anonymous bind. SO the main problem is on the client assuming to bind with a dn and getting results for anonymous. I would try to reflect this in the log message, eg "Enabling unauthenticated binds can send unexpected results to clients and should be avoided"

And I think a message at startup is easily overlooked or does not help much in tracking clients doing aunautheticated binds.

How about to extend the messsage in the access log:

conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0.000000 dn="" (unauthenticated bind)

Second, looking at this, I can see that you change from hard tab to spaces - perhaps your editor did this?

Anyway, I prefer 4 space, but please make sure that you apply it to the whole function (line 6516 through 6536 with the patch).

Hmm, I'm not sure what you mean here. This function uses hard tabs already so that's I used as well to indent the code. But then I used spaces to indent the slapi_log_err arguments, because if we use tabs in this case it might end up displaying the result differently in different editors (meaning, the arguments will not be aligned properly). Does this make sense? Or do you want me to change it to hard tabs or spaces for the whole function?

@ilias95 Your editor made them "soft" tabs, so it messed up the patch somehow. I couldn't apply it without ignore white space options .... >.<

I find it easier to just convert places with hard tabs to soft if it's a small enough function, but @mreynolds plan to clang format the whole code base soon to fix this anyway.

I think that @lkrispen's comments are really valid. How about you update the message based on his input.

@lkrispen It's true it's easy for admins to overlook. It's also something we assume most people don't use. I think adding the unauth message to the log is a good idea, but we can do that as a follow up patch? Another option is that in the new lib389 tools we have a healthcheck function which can "report" bad configs, so perhaps we could add this to taht?

Okay, I replaced all hard tabs in the function by spaces and I updated the log message.

0001-Issue-49315-Log-a-warning-whenever-unauthenticated-b.patch

I think this message is a bit scary when we say "potential security issues":

"Unauthenticated binds are enabled - this can lead to unexpected results with clients and potential security issues\n"

I can see admins saying: What security issues?! Oh my, lets open a support case, etc.

The potential security issue is actually on the client side and not the DS side. I think we should use Ludwig's original suggestion saying it should just "be avoided", and not use words like "security". Thoughts?

If we don't use the word security, people will ignore it. We need a scary warning like this to make people notice it I think. Perhaps we could say client security issues to be specific?

If we don't use the word security, people will ignore it.

In my experience many customers do watch the errors log, and when a new message appears they do take notice and inquire about it to support or a mailing list.

We need a scary warning like this to make people notice it I think. Perhaps we could say client security issues to be specific?

That's better, but it's only a client security issue if the client uses LDAP binds for its own authentication purposes against some other application. It still has no impact on DS and it's data. It's a corner case IMO, and to use vague/scary messages is inappropriate - especially since it's all on the client side.

Perhaps we just need a very verbose warning message describing the above scenario in more detail. But saying "potential security issues", or "potential client security issues", is just way too vague, and not good practice in my opinion. If we are going to state it's a security issue then we need to say why, and in detail.

Either way we need to fully document this somewhere, either in a tech doc or in the Admin guide.

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field version adjusted to None

2 years ago

Yeah, it needs to go to the admin guide. I think we could bikeshed the message a lot, but "this could cause client security issues, please contact support / docs for more" at a general outline.

@mreynolds Did we come up with a solution to the msg? @ilias95 what do you think?

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.3.7.0

2 years ago

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4.2 (was: 1.3.7.0)

2 months ago

Login to comment on this ticket.

Metadata