1# $OpenLDAP: pkg/openldap-guide/admin/security.sdf,v 1.16.2.8 2008/05/29 16:19:01 quanah Exp $ 2# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved. 3# Portions Copyright 2008 Andrew Findlay. 4# COPYING RESTRICTIONS APPLY, see COPYRIGHT. 5 6H1: Security Considerations 7 8OpenLDAP Software is designed to run in a wide variety of computing 9environments from tightly-controlled closed networks to the global 10Internet. Hence, OpenLDAP Software supports many different security 11mechanisms. This chapter describes these mechanisms and discusses 12security considerations for using OpenLDAP Software. 13 14H2: Network Security 15 16H3: Selective Listening 17 18By default, {{slapd}}(8) will listen on both the IPv4 and IPv6 "any" 19addresses. It is often desirable to have {{slapd}} listen on select 20address/port pairs. For example, listening only on the IPv4 address 21{{EX:127.0.0.1}} will disallow remote access to the directory server. 22E.g.: 23 24> slapd -h ldap://127.0.0.1 25 26While the server can be configured to listen on a particular interface 27address, this doesn't necessarily restrict access to the server to 28only those networks accessible via that interface. To selective 29restrict remote access, it is recommend that an {{SECT:IP Firewall}} 30be used to restrict access. 31 32See {{SECT:Command-line Options}} and {{slapd}}(8) for more 33information. 34 35 36H3: IP Firewall 37 38{{TERM:IP}} firewall capabilities of the server system can be used 39to restrict access based upon the client's IP address and/or network 40interface used to communicate with the client. 41 42Generally, {{slapd}}(8) listens on port 389/tcp for {{F:ldap://}} 43sessions and port 636/tcp for {{F:ldaps://}}) sessions. {{slapd}}(8) 44may be configured to listen on other ports. 45 46As specifics of how to configure IP firewall are dependent on the 47particular kind of IP firewall used, no examples are provided here. 48See the document associated with your IP firewall. 49 50 51H3: TCP Wrappers 52 53{{slapd}}(8) supports {{TERM:TCP}} Wrappers. TCP Wrappers provide 54a rule-based access control system for controlling TCP/IP access 55to the server. For example, the {{host_options}}(5) rule: 56 57> slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW 58> slapd: ALL : DENY 59 60allows only incoming connections from the private network {{F:10.0.0.0}} 61and localhost ({{F:127.0.0.1}}) to access the directory service. 62 63Note: IP addresses are used as {{slapd}}(8) is not normally 64configured to perform reverse lookups. 65 66It is noted that TCP wrappers require the connection to be accepted. 67As significant processing is required just to deny a connection, 68it is generally advised that IP firewall protection be used instead 69of TCP wrappers. 70 71See {{hosts_access}}(5) for more information on TCP wrapper rules. 72 73 74H2: Data Integrity and Confidentiality Protection 75 76{{TERM[expand]TLS}} (TLS) can be used to provide data integrity and 77confidentiality protection. OpenLDAP supports negotiation of 78{{TERM:TLS}} ({{TERM:SSL}}) via both StartTLS and {{F:ldaps://}}. 79See the {{SECT:Using TLS}} chapter for more information. StartTLS 80is the standard track mechanism. 81 82A number of {{TERM[expand]SASL}} (SASL) mechanisms, such as 83{{TERM:DIGEST-MD5}} and {{TERM:GSSAPI}}, also provide data integrity 84and confidentiality protection. See the {{SECT:Using SASL}} chapter 85for more information. 86 87 88H3: Security Strength Factors 89 90The server uses {{TERM[expand]SSF}}s (SSF) to indicate the relative 91strength of protection. A SSF of zero (0) indicates no protections 92are in place. A SSF of one (1) indicates integrity protection are 93in place. A SSF greater than one (>1) roughly correlates to the 94effective encryption key length. For example, {{TERM:DES}} is 56, 95{{TERM:3DES}} is 112, and {{TERM:AES}} 128, 192, or 256. 96 97A number of administrative controls rely on SSFs associated with 98TLS and SASL protection in place on an LDAP session. 99 100{{EX:security}} controls disallow operations when appropriate 101protections are not in place. For example: 102 103> security ssf=1 update_ssf=112 104 105requires integrity protection for all operations and encryption 106protection, 3DES equivalent, for update operations (e.g. add, delete, 107modify, etc.). See {{slapd.conf}}(5) for details. 108 109For fine-grained control, SSFs may be used in access controls. 110See {{SECT:The access Configuration Directive}} section of the 111{{SECT:The slapd Configuration File}} for more information. 112 113 114H2: Authentication Methods 115 116H3: "simple" method 117 118The LDAP "simple" method has three modes of operation: 119 120* anonymous, 121* unauthenticated, and 122* user/password authenticated. 123 124Anonymous access is requested by providing no name and no password 125to the "simple" bind operation. Unauthenticated access is requested 126by providing a name but no password. Authenticated access is 127requested by providing a valid name and password. 128 129An anonymous bind results in an {{anonymous}} authorization 130association. Anonymous bind mechanism is enabled by default, but 131can be disabled by specifying "{{EX:disallow bind_anon}}" in 132{{slapd.conf}}(5). 133 134Note: Disabling the anonymous bind mechanism does not prevent 135anonymous access to the directory. To require authentication to 136access the directory, one should instead specify "{{EX:require authc}}". 137 138An unauthenticated bind also results in an {{anonymous}} authorization 139association. Unauthenticated bind mechanism is disabled by default, 140but can be enabled by specifying "{{EX:allow bind_anon_cred}}" in 141{{slapd.conf}}(5). As a number of LDAP applications mistakenly 142generate unauthenticated bind request when authenticated access was 143intended (that is, they do not ensure a password was provided), 144this mechanism should generally remain disabled. 145 146A successful user/password authenticated bind results in a user 147authorization identity, the provided name, being associated with 148the session. User/password authenticated bind is enabled by default. 149However, as this mechanism itself offers no eavesdropping protection 150(e.g., the password is set in the clear), it is recommended that 151it be used only in tightly controlled systems or when the LDAP 152session is protected by other means (e.g., TLS, {{TERM:IPsec}}). 153Where the administrator relies on TLS to protect the password, it 154is recommended that unprotected authentication be disabled. This 155is done using the {{EX:security}} directive's {{EX:simple_bind}} 156option, which provides fine grain control over the level of confidential 157protection to require for {{simple}} user/password authentication. 158E.g., using {{EX:security simple_bind=56}} would require {{simple}} 159binds to use encryption of DES equivalent or better. 160 161The user/password authenticated bind mechanism can be completely 162disabled by setting "{{EX:disallow bind_simple}}". 163 164Note: An unsuccessful bind always results in the session having 165an {{anonymous}} authorization association. 166 167 168H3: SASL method 169 170The LDAP {{TERM:SASL}} method allows the use of any SASL authentication 171mechanism. The {{SECT:Using SASL}} section discusses the use of SASL. 172 173H2: Password Storage 174 175LDAP passwords are normally stored in the {{userPassword}} attribute. 176{{REF:RFC4519}} specifies that passwords are not stored in encrypted 177(or hashed) form. This allows a wide range of password-based 178authentication mechanisms, such as {{EX:DIGEST-MD5}} to be used. 179This is also the most interoperable storage scheme. 180 181However, it may be desirable to store a hash of password instead. 182{{slapd}}(8) supports a variety of storage schemes for the administrator 183to choose from. 184 185Note: Values of password attributes, regardless of storage scheme 186used, should be protected as if they were clear text. Hashed 187passwords are subject to {{dictionary attacks}} and {{brute-force 188attacks}}. 189 190The {{userPassword}} attribute is allowed to have more than one value, 191and it is possible for each value to be stored in a different form. 192During authentication, {{slapd}} will iterate through the values 193until it finds one that matches the offered password or until it 194runs out of values to inspect. The storage scheme is stored as a prefix 195on the value, so a hashed password using the Salted SHA1 ({{EX:SSHA}}) 196scheme looks like: 197 198> userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3 199 200The advantage of hashed passwords is that an attacker which 201discovers the hash does not have direct access to the actual password. 202Unfortunately, as dictionary and brute force attacks are generally 203quite easy for attackers to successfully mount, this advantage is 204marginal at best (this is why all modern Unix systems use shadow 205password files). 206 207The disadvantages of hashed storage is that they are non-standard, may 208cause interoperability problem, and generally preclude the use 209of stronger than Simple (or SASL/PLAIN) password-based authentication 210mechanisms such as {{EX:DIGEST-MD5}}. 211 212H3: SSHA password storage scheme 213 214This is the salted version of the SHA scheme. It is believed to be the 215most secure password storage scheme supported by {{slapd}}. 216 217These values represent the same password: 218 219> userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3 220> userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb 221 222H3: CRYPT password storage scheme 223 224This scheme uses the operating system's {{crypt(3)}} hash function. 225It normally produces the traditional Unix-style 13 character hash, but 226on systems with {{EX:glibc2}} it can also generate the more secure 22734-byte MD5 hash. 228 229> userPassword: {CRYPT}aUihad99hmev6 230> userPassword: {CRYPT}$1$czBJdDqS$TmkzUAb836oMxg/BmIwN.1 231 232The advantage of the CRYPT scheme is that passwords can be 233transferred to or from an existing Unix password file without having 234to know the cleartext form. Both forms of {{crypt}} include salt so 235they have some resistance to dictionary attacks. 236 237Note: Since this scheme uses the operating system's {{crypt(3)}} 238hash function, it is therefore operating system specific. 239 240H3: MD5 password storage scheme 241 242This scheme simply takes the MD5 hash of the password and stores it in 243base64 encoded form: 244 245> userPassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== 246 247Although safer than cleartext storage, this is not a very secure 248scheme. The MD5 algorithm is fast, and because there is no salt the 249scheme is vulnerable to a dictionary attack. 250 251H3: SMD5 password storage scheme 252 253This improves on the basic MD5 scheme by adding salt (random data 254which means that there are many possible representations of a given 255plaintext password). For example, both of these values represent the 256same password: 257 258> userPassword: {SMD5}4QWGWZpj9GCmfuqEvm8HtZhZS6E= 259> userPassword: {SMD5}g2/J/7D5EO6+oPdklp5p8YtNFk4= 260 261H3: SHA password storage scheme 262 263Like the MD5 scheme, this simply feeds the password through an SHA 264hash process. SHA is thought to be more secure than MD5, but the lack 265of salt leaves the scheme exposed to dictionary attacks. 266 267> userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= 268 269H3: SASL password storage scheme 270 271This is not really a password storage scheme at all. It uses the 272value of the {{userPassword}} attribute to delegate password 273verification to another process. See below for more information. 274 275Note: This is not the same as using SASL to authenticate the LDAP 276session. 277 278H3: KERBEROS password storage scheme 279 280This is not really a password storage scheme at all. It uses the 281value of the {{userPassword}} attribute to delegate password 282verification to Kerberos. 283 284Note: This is not the same as using Kerberos authentication of 285the LDAP session. 286 287This scheme could be said to defeat the advantages of Kerberos by 288causing the Kerberos password to be exposed to the {{slapd}} server 289(and possibly on the network as well). 290 291H2: Pass-Through authentication 292 293Since OpenLDAP 2.0 {{slapd}} has had the ability to delegate password 294verification to a separate process. This uses the {{sasl_checkpass(3)}} 295function so it can use any back-end server that Cyrus SASL supports for 296checking passwords. The choice is very wide, as one option is to use 297{{saslauthd(8)}} which in turn can use local files, Kerberos, an IMAP 298server, another LDAP server, or anything supported by the PAM mechanism. 299 300The server must be built with the {{EX:--enable-spasswd}} 301configuration option to enable pass-through authentication. 302 303Note: This is not the same as using a SASL mechanism to 304authenticate the LDAP session. 305 306Pass-Through authentication works only with plaintext passwords, as 307used in the "simple bind" and "SASL PLAIN" authentication mechanisms.}} 308 309Pass-Through authentication is selective: it only affects users whose 310{{userPassword}} attribute has a value marked with the "{SASL}" 311scheme. The format of the attribute is: 312 313> userPassword: {SASL}username@realm 314 315The {{username}} and {{realm}} are passed to the SASL authentication 316mechanism and are used to identify the account whose password is to be 317verified. This allows arbitrary mapping between entries in OpenLDAP 318and accounts known to the backend authentication service. 319 320Note: There is no support for changing passwords in the backend 321via {{slapd}}. 322 323It would be wise to use access control to prevent users from changing 324their passwords through LDAP where they have pass-through authentication 325enabled. 326 327 328H3: Configuring slapd to use an authentication provider 329 330Where an entry has a "{SASL}" password value, OpenLDAP delegates the 331whole process of validating that entry's password to Cyrus SASL. All 332the configuration is therefore done in SASL config files. 333 334The first 335file to be considered is confusingly named {{slapd.conf}} and is 336typically found in the SASL library directory, often 337{{EX:/usr/lib/sasl2/slapd.conf}} This file governs the use of SASL 338when talking LDAP to {{slapd}} as well as the use of SASL backends for 339pass-through authentication. See {{EX:options.html}} in the {{PRD:Cyrus SASL}} 340docs for full details. Here is a simple example for a server that will 341use {{saslauthd}} to verify passwords: 342 343> mech_list: plain 344> pwcheck_method: saslauthd 345> saslauthd_path: /var/run/sasl2/mux 346 347H3: Configuring saslauthd 348 349{{saslauthd}} is capable of using many different authentication 350services: see {{saslauthd(8)}} for details. A common requirement is to 351delegate some or all authentication to another LDAP server. Here is a 352sample {{EX:saslauthd.conf}} that uses Microsoft Active Directory (AD): 353 354> ldap_servers: ldap://dc1.example.com/ ldap://dc2.example.com/ 355> 356> ldap_search_base: cn=Users,DC=ad,DC=example,DC=com 357> ldap_filter: (userPrincipalName=%u) 358> 359> ldap_bind_dn: cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com 360> ldap_password: secret 361 362In this case, {{saslauthd}} is run with the {{EX:ldap}} authentication 363mechanism and is set to combine the SASL realm with the login name: 364 365> saslauthd -a ldap -r 366 367This means that the "username@realm" string from the {{userPassword}} 368attribute ends up being used to search AD for 369"userPrincipalName=username@realm" - the password is then verified by 370attempting to bind to AD using the entry found by the search and the 371password supplied by the LDAP client. 372 373H3: Testing pass-through authentication 374 375It is usually best to start with the back-end authentication provider 376and work through {{saslauthd}} and {{slapd}} towards the LDAP client. 377 378In the AD example above, first check that the DN and password that 379{{saslauthd}} will use when it connects to AD are valid: 380 381> ldapsearch -x -H ldap://dc1.example.com/ \ 382> -D cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com \ 383> -w secret \ 384> -b '' \ 385> -s base 386 387Next check that a sample AD user can be found: 388 389> ldapsearch -x -H ldap://dc1.example.com/ \ 390> -D cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com \ 391> -w secret \ 392> -b cn=Users,DC=ad,DC=example,DC=com \ 393> "(userPrincipalName=user@ad.example.com)" 394 395Check that the user can bind to AD: 396 397> ldapsearch -x -H ldap://dc1.example.com/ \ 398> -D cn=user,cn=Users,DC=ad,DC=example,DC=com \ 399> -w userpassword \ 400> -b cn=user,cn=Users,DC=ad,DC=example,DC=com \ 401> -s base \ 402> "(objectclass=*)" 403 404If all that works then {{saslauthd}} should be able to do the same: 405 406> testsaslauthd -u user@ad.example.com -p userpassword 407> testsaslauthd -u user@ad.example.com -p wrongpassword 408 409Now put the magic token into an entry in OpenLDAP: 410 411> userPassword: {SASL}user@ad.example.com 412 413It should now be possible to bind to OpenLDAP using the DN of that 414entry and the password of the AD user. 415 416