Project

General

Profile

Actions

Bug #8244

closed

LDAP directory allows read-only access on localhost without authentication

Added by Jonathan CLARKE over 8 years ago. Updated over 5 years ago.

Status:
Released
Priority:
1 (highest)
Category:
Server components
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

The LDAP directory installed with Rudder contains potentially sensitive information, including some configuration policies and the inventory of all nodes.

A user with local access to the Rudder server can query the LDAP server and extract all of this information, with the default settings. This access is only possible via localhost, due to the fact that the LDAP server binds only to the localhost interface.

This access should be restricted. We will be adding a fix in the next minor releases of all Rudder versions.

In the meantime, you can restrict all anonymous data access by adding the following lines in /opt/rudder/etc/openldap/slapd.conf, just before the line "Database definitions", then run "/etc/init.d/rudder-slapd restart":

# ACLs
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

# No other access to the directory contents (except by the rootdn, but that is implicit)
access to * by * none

The first two access rules are required to use most LDAP browsers (Apache Directory Studio or similar). They simply allow clients to read basic information about the directory service, such as supported extensions and schema - no configuration information is disclosed. The final access rule forbids all access (both read and write), to all accounts in the LDAP directory. This is not strictly necessary to mitigate this issue, but is an extra security barrier: the only account that can read or write any information in the directory is the rootdn (listed further down in the configuration file and used by Rudder and supporting scripts).

Actions #1

Updated by Jonathan CLARKE over 8 years ago

  • Description updated (diff)
Actions #2

Updated by Jonathan CLARKE over 8 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Jonathan CLARKE to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/918
Actions #3

Updated by Jonathan CLARKE over 8 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100
Actions #4

Updated by Vincent MEMBRÉ over 8 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.21, 3.0.16, 3.1.10 and 3.2.3 which were released on 2016-06-01, but not announced.

Actions #5

Updated by Vincent MEMBRÉ over 5 years ago

  • Private changed from Yes to No
  • Priority set to 0
Actions

Also available in: Atom PDF