LDAP search without credetials

To: debian-security@lists.debian.org
Subject: LDAP search without credetials
From: Carsten Czerner <carsten.czerner@leuphana.de>
Date: Mon, 17 Aug 2015 13:23:26 +0200
Message-id: <[🔎] 55D1C42E.1050005@leuphana.de>

Hi,

on my Debian8 slapd installation I can query the ldap-server withouttyping in any password. That isn't ok!?


At the dn: olcDatabase={1}mdb.ldif I found the following entry:

olcAccess: {2}to * by * read

I guess that gives read access to everyone without authentification.

It was pure coincidence that I tested a login without credentials! Causea login with credentilas works as well.

Please change olcAccess: {2}to * by * read -> olcAccess: {2}to * byusers read


After that, the login was denied:

ldap_bind: Server is unwilling to perform (53)

additional info: unauthenticated bind (DN with no password)disallowed


-------------
Here is a ldif for every one who likes to change it.

cat rights.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}to * by * read
-
add: olcAccess
olcAccess: {2}to * by users read

ldapmodify -Y EXTERNAL -H ldapi:/// -f rights.ldif

Regards
Carsten

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to:

Follow-Ups:
- Re: LDAP search without credetials
  - From: Robert Lemmen <robertle@semistable.com>

Prev by Date: Re: Bug#794466: Virtualbox might not be suitable for Stretch
Next by Date: Re: [SECURITY] [DSA 3336-1] nss security update
Previous by thread: Re: [SECURITY] [DSA 3321-2] opensaml2 security update
Next by thread: Re: LDAP search without credetials
Index(es):
- Date
- Thread