Commit 0792d7ba authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#5524

parent f7eb5e33
......@@ -24,6 +24,7 @@ OpenLDAP 2.4.10 Engineering
Fixed slapo-unique filter terminator (ITS#5511)
Documentation
Add search privileges documentation (ITS#5512)
admin24 security document updates (ITS#5524)
OpenLDAP 2.4.9 Release (2008/05/07)
Fixed libldap to use unsigned port (ITS#5436)
......
personal_ws-1.1 en 1598
personal_ws-1.1 en 1634
commonName
bla
Masarati
subjectAltName
api
BhY
olcSyncrepl
olcSyncRepl
olcSyncrepl
adamsom
adamson
CER
......@@ -38,8 +38,8 @@ DIB
dev
reqNewSuperior
librewrite
memberOf
memberof
memberOf
BSI
updateref
buf
......@@ -64,6 +64,7 @@ CRP
postread
csn
xvfB
checkpass
neverDerefaliases
dns
DN's
......@@ -87,8 +88,8 @@ dlopen
eng
AttributeValue
attributevalue
EOF
DUA
EOF
inputfile
DSP
refreshDone
......@@ -123,10 +124,10 @@ iff
contextCSN
auditModify
auditSearch
openldap
OpenLDAP
resultCode
openldap
resultcode
resultCode
sysconfig
indices
blen
......@@ -137,14 +138,17 @@ directoryString
database's
iscritical
gss
qbuaQ
ZKKuqbEKJfKSXhUbHG
invalidAttributeSyntax
subtree
Kartik
newparent
DkMTwBl
memcalloc
ing
filtertype
XKqkdPOmY
regcomp
ldapmodify
includedir
......@@ -159,13 +163,13 @@ argv
kdz
notAllowedOnRDN
hostport
starttls
StartTLS
starttls
ldb
servercredp
ldd
ipv
IPv
ipv
hyc
joe
bindmethods
......@@ -189,16 +193,16 @@ attrstyle
directoryOperation
creatorsName
mem
oldpasswdfile
oldPasswdFile
oldpasswdfile
uniqueMember
krb
libpath
acknowledgements
jts
createTimestamp
LLL
MIB
LLL
OpenSSL
openssl
LOF
......@@ -217,6 +221,7 @@ LDAPMatchingRule
bool
LRL
CPPFLAGS
yWpR
schemadir
desc
lud
......@@ -232,14 +237,15 @@ oid
msg
attr
caseExactOrderingMatch
TmkzUAb
Subbarao
aeeiib
oidlen
submatches
olc
PEM
PDU
olc
OLF
PDU
LDAPSchemaExtensionItem
auth
Pierangelo
......@@ -249,6 +255,7 @@ subdirectories
OLP
pwdPolicyChecker
subst
mux
singleLevel
cleartext
numattrsets
......@@ -277,9 +284,9 @@ rdn
wZFQrDD
OTP
olcSizeLimit
pos
sbi
PRD
sbi
pos
pre
sudoadm
stringal
......@@ -287,6 +294,7 @@ retoidp
sdf
efgh
accesslog
PSH
sed
cond
qdescrs
......@@ -296,9 +304,10 @@ ldapmodrdn
sel
bvec
TBC
HtZhZS
stringbv
Sep
SHA
Sep
ptr
conn
pwd
......@@ -315,8 +324,8 @@ myOID
supportedSASLMechanism
supportedSASLmechanism
realnamingcontext
SMD
UCD
SMD
keytab
portnumber
uncached
......@@ -329,8 +338,8 @@ sasldb
UCS
searchDN
keytbl
tgz
UDP
tgz
freemods
prepend
errText
......@@ -347,22 +356,22 @@ crit
objectClassViolation
ssf
ldapfilter
rwm
TOC
vec
TOC
rwm
pwdChangedTime
tls
peernamestyle
xpasswd
tmp
SRP
tmp
SSL
dupbv
CPUs
SRV
entrymods
rwx
sss
rwx
reqNewRDN
nopresent
rebindproc
......@@ -372,11 +381,13 @@ syncIdSet
cron
accesslevel
accessor's
czBJdDqS
keyval
alloc
saslpasswd
README
maxentries
QWGWZpj
ttl
undefinedAttributeType
peercred
......@@ -417,10 +428,11 @@ memberURL
sudoers
pwdMaxFailure
pseudorootdn
MezRroT
GDBM
LIBRELEASE
DSAs
DSA's
DSAs
realloc
booleanMatch
compareTrue
......@@ -432,6 +444,7 @@ rwxrwxrwx
al
realself
cd
aQ
ar
olcDatabaseConfig
de
......@@ -447,6 +460,7 @@ dn
fG
DS
fi
EO
allmail
du
eq
......@@ -477,8 +491,8 @@ pwdMinLength
iZ
ldapdelete
xyz
RDBMs
rdbms
RDBMs
extparam
mk
ng
......@@ -533,6 +547,7 @@ cacert
notAllowedOnNonLeaf
attrname
olcTLSCipherSuite
Xr
x's
xw
octetStringMatch
......@@ -541,8 +556,8 @@ ZZ
LDVERSION
testAttr
backend
backend's
backends
backend's
BerValues
Solaris
structs
......@@ -554,9 +569,9 @@ ostring
policyDN
testObject
pwdMaxAge
bindDn
bindDN
binddn
bindDN
bindDn
distributedOperation
schemachecking
strvals
......@@ -588,6 +603,7 @@ serverctrls
recursivegroup
integerMatch
moduledir
BlpQmtczb
dynstyle
bindpw
AUTHNAME
......@@ -598,14 +614,14 @@ IEEE
regex
SIGINT
slappasswd
errAbsObject
errABsObject
errAbsObject
ldapexop
objectidentifier
objectIdentifier
objectidentifier
deallocators
MirrorMode
mirrormode
MirrorMode
loopDetect
SIGHUP
authMethodNotSupported
......@@ -622,8 +638,8 @@ filtercomp
expr
syntaxes
memrealloc
returnCode
returncode
returnCode
OpenLDAP's
exts
bitstringa
......@@ -638,6 +654,7 @@ ietf
olcSchemaConfig
bitstrings
bvalues
hmev
realdnattr
attrpair
affectsMultipleDSAs
......@@ -646,8 +663,8 @@ lastName
lldap
cachesize
slapauth
attributetype
attributeType
attributetype
GSER
olcDbNosync
typedef
......@@ -664,14 +681,16 @@ monitoredObject
TLSVerifyClient
noidlen
LDAPNOINIT
pwdGraceAuthNLimit
pwdGraceAuthnLimit
pwdGraceAuthNLimit
hnPk
userpassword
userPassword
noanonymous
LIBVERSION
symas
dcedn
glibc
sublevel
chroot
posixGroup
......@@ -682,12 +701,14 @@ frontend
someotherdomain
proxying
organisations
IMAP
rewriteMap
monitoredInfo
modrdn
ModRDN
modrDN
ModRDN
modrdn
HREF
DQTxCYEApdUtNXGgdUac
inline
multiproxy
reqSizeLimit
......@@ -698,8 +719,8 @@ reqReferral
rlookups
siiiib
LTSTATIC
timeLimitExceeded
timelimitExceeded
timeLimitExceeded
XKYnrjvGT
subtrees
unixODBC
......@@ -711,8 +732,8 @@ reqDN
dnstyle
inet
schemas
pwdPolicySubEntry
pwdPolicySubentry
pwdPolicySubEntry
reqId
scanf
olcBackend
......@@ -721,6 +742,7 @@ Arial
init
runtime
onelevel
YtNFk
impl
Autoconf
stderr
......@@ -737,6 +759,7 @@ olcModuleList
pwdSafeModify
html
multimaster
GCmfuqEvm
testrun
rewriteEngine
slapdindex
......@@ -751,8 +774,8 @@ POSIX
pathname
noSuchObject
proxyOld
berelement
BerElement
berelement
sbiod
plugin
http
......@@ -762,8 +785,8 @@ ldbm
numericStringSubstringsMatch
internet
storages
whoami
WhoAmI
whoami
criticality
addBlanks
logins
......@@ -772,6 +795,7 @@ dbnum
operationsError
homePhone
testTwo
BmIwN
ldif
entryAlreadyExists
plaintext
......@@ -903,6 +927,7 @@ concat
realanonymous
invalue
refreshOnly
pwcheck
filesystem
Naur
unwillingToPerform
......@@ -924,6 +949,7 @@ negttl
logevels
AAQSkZJRgABAAAAAQABAAD
strcast
aUihad
failover
constraintViolation
cacheable
......@@ -968,6 +994,7 @@ basename
groupOfUniqueNames
DHAVE
ludp
oPdklp
entryUUID
ldapapiinfo
SampleLDAP
......@@ -1013,12 +1040,14 @@ typeB
nelems
subord
namingViolation
PCOq
inappropriateAuthentication
mixin
suders
syntaxOID
olcTLSCACertificateFile
IGJlZ
userPrincipalName
TLSCipherSuite
auditlog
runningslapd
......@@ -1059,6 +1088,7 @@ searchResultEntry
PIII
olcDbShmKey
substr
testsaslauthd
reqRespControls
XXXXXXXXXX
MANSECT
......@@ -1081,6 +1111,7 @@ dcObject
supportedControl
addprinc
logbase
oMxg
filterlist
generalizedTimeMatch
Google
......@@ -1204,6 +1235,7 @@ lucyB
entryUUIDs
reqEntries
sockbuf
wrongpassword
olcSaslSecprops
olcSaslSecProps
dnSubtreeMatch
......@@ -1296,6 +1328,7 @@ SMTP
srvtab
ldapadd
sprintf
spasswd
monitorCounterObject
Instanstantiation
olcDbConfig
......@@ -1362,6 +1395,7 @@ argsfile
attrvalue
deallocate
msgid
ilOzQ
modulepath
logfile
Supr
......@@ -1513,6 +1547,7 @@ ABNF
dnpattern
perror
MSSQL
VUld
SmVuc
ACIs
errmsgp
......@@ -1552,8 +1587,8 @@ wBDARESEhgVG
multi
aaa
ldaprc
updatedn
UpdateDN
updatedn
LDAPBASE
LDAPAPIFeatureInfo
authzTo
......@@ -1593,7 +1628,8 @@ ber
slimit
ali
attributeoptions
BfQ
uidNumber
CAs
CA's
CAs
namingContext
# $OpenLDAP$
# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# Portions Copyright 2008 Andrew Findlay.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Security Considerations
......@@ -58,7 +59,8 @@ to the server. For example, the {{host_options}}(5) rule:
allows only incoming connections from the private network {{F:10.0.0.0}}
and localhost ({{F:127.0.0.1}}) to access the directory service.
Note that IP addresses are used as {{slapd}}(8) is not normally
Note: IP addresses are used as {{slapd}}(8) is not normally
configured to perform reverse lookups.
It is noted that TCP wrappers require the connection to be accepted.
......@@ -127,10 +129,11 @@ requested by providing a valid name and password.
An anonymous bind results in an {{anonymous}} authorization
association. Anonymous bind mechanism is enabled by default, but
can be disabled by specifying "{{EX:disallow bind_anon}}" in
{{slapd.conf}}(5). Note that disabling the anonymous bind mechanism
does not prevent anonymous access to the directory. To require
authentication to access the directory, one should instead
specify "{{EX:require authc}}".
{{slapd.conf}}(5).
Note: Disabling the anonymous bind mechanism does not prevent
anonymous access to the directory. To require authentication to
access the directory, one should instead specify "{{EX:require authc}}".
An unauthenticated bind also results in an {{anonymous}} authorization
association. Unauthenticated bind mechanism is disabled by default,
......@@ -158,12 +161,250 @@ binds to use encryption of DES equivalent or better.
The user/password authenticated bind mechanism can be completely
disabled by setting "{{EX:disallow bind_simple}}".
Note: An unsuccessful bind always results in the session having
Note: An unsuccessful bind always results in the session having
an {{anonymous}} authorization association.
H3: SASL method
The LDAP {{TERM:SASL}} method allows use of any SASL authentication
mechanism. The {{SECT:Using SASL}} discusses use of SASL.
The LDAP {{TERM:SASL}} method allows the use of any SASL authentication
mechanism. The {{SECT:Using SASL}} section discusses the use of SASL.
H2: Password Storage
LDAP passwords are normally stored in the {{userPassword}} attribute.
{{REF:RFC4519}} specifies that passwords are not stored in encrypted form,
but this can create an unwanted security exposure so {{slapd}} provides
several options for the administrator to choose from.
The {{userPassword}} attribute is allowed to have more than one value,
and it is possible for each value to be stored in a different form.
During authentication, {{slapd}} will iterate through the values
until it finds one that matches the offered password or until it
runs out of values to inspect. The storage scheme is stored as a prefix
on the value, so a Unix {{crypt}}-style password might look like this:
> userPassword: {CRYPT}.7D8U/PCF00Hw
In general, it is safest to store passwords in a salted hashed format
like SSHA. This makes it very hard for an attacker to derive passwords
from stolen backups or by obtaining access to the on-disk {{slapd}}
database.
The disadvantage of hashed storage is that it prevents the use of some
authentication mechanisms such as {{EX:DIGEST-MD5}}.
H3: CLEARTEXT password storage scheme
Cleartext passwords can be stored directly in the {{userPassword}}
attribute, or can have the '{CLEARTEXT}' prefix. These two values are
equivalent:
> userPassword: secret
> userPassword: {CLEARTEXT}secret
H3: CRYPT password storage scheme
This scheme uses the operating system's {{crypt(3)}} hash function.
It normally produces the traditional Unix-style 13 character hash, but
on systems with {{EX:glibc2}} it can also generate the more secure
34-byte MD5 hash.
> userPassword: {CRYPT}aUihad99hmev6
> userPassword: {CRYPT}$1$czBJdDqS$TmkzUAb836oMxg/BmIwN.1
The advantage of the CRYPT scheme is that passwords can be
transferred to or from an existing Unix password file without having
to know the cleartext form. Both forms of {{crypt}} include salt so
they have some resistance to dictionary attacks.
Note: Since this scheme uses the operation system's {{crypt(3)}} hash function,
it is therefore operation system specific.
H3: MD5 password storage scheme
This scheme simply takes the MD5 hash of the password and stores it in
base64 encoded form:
> userPassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
Although safer than cleartext storage, this is not a very secure
scheme. The MD5 algorithm is fast, and because there is no salt the
scheme is vulnerable to a dictionary attack.
H3: SMD5 password storage scheme
This improves on the basic MD5 scheme by adding salt (random data
which means that there are many possible representations of a given
plaintext password). For example, both of these values represent the
same password:
> userPassword: {SMD5}4QWGWZpj9GCmfuqEvm8HtZhZS6E=
> userPassword: {SMD5}g2/J/7D5EO6+oPdklp5p8YtNFk4=
H3: SHA password storage scheme
Like the MD5 scheme, this simply feeds the password through an SHA
hash process. SHA is thought to be more secure than MD5, but the lack
of salt leaves the scheme exposed to dictionary attacks.
> userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
H3: SSHA password storage scheme
This is the salted version of the SHA scheme. It is believed to be the