Sebastian Stark from Directory Applications for Advanced Security and Information Management (http://www.daasi.de) has found a serious issue with login_ldap, affecting all versions. login_ldap is a BSD Authentication module for authenticating users off an LDAP server, and runs on OpenBSD and BSD/OS. It is third party software, and is not part of OpenBSD or BSD/OS. >From http://www.openldap.org/doc/admin/security.html "An unauthenticated bind results in an anonymous authorization. Unauthenticated bind mechanism is disabled by default, but can be enabled by specifying "allow bind_anon_cred" in slapd.conf(5). As a number of LDAP applications mistakenly generate unauthenticated bind request when authenticated access was intended (that is, they do not ensure a password was provided), this mechanism should generally not be enabled." In OpenLDAP 2.0.x, the following operations lead to an anonymous bind by default: - BIND with DN set but no password provided (bind_anon_dn) - BIND with no DN but a password was provided (bind_anon_cred) - BIND with no DN and no password (bind_anon) You can disable any of those BIND methods by putting 'disallow <feature>' into your slapd.conf where <feature> stands for the corresponding keyword given in parentheses above. In OpenLDAP 2.1.x all but bind_anon are disabled by default. For an authentication service this is probably what most people want. login_ldap has been updated to check that a password has been provided. It is available here: http://www.ifost.org.au/~peterw/login_ldap-3.3.tar.gz MD5 (login_ldap-3.3.tar.gz) = 52e905d54a136c3d850158f4f7548a3f The other main change is it no longer installed setuid root, please see the README included for more information. I would encourage other people writing LDAP applications to check their software for this issue. Many thanks to Sebastian for his help with this issue, work on a suitable fix and this advisory. Peter Werner Feb 21, 2003 -- IFOST: http://www.ifost.org.au
