Re: Security risks of ldap

[<ma...@mj...>]

There was a presentation someone had at one time (sorry can't 
remember URL, but if you look at our FAQ or perhaps 
ldapguru.com or search on google you might turn it up).

Here's a brief list that I remember:
1) LDAP runs on 389, which requires you to be root on UNIX to 
start (of course the server can switch to a different user after it 
starts, but you still must be root to start it)

2) Many operations (in particular under LDAP 2 or if you're not 
using operational controls under LDAP 3) require you to be the 
directory super-user (or people take the path of least resistance 
and just do everything as directory super-user just like many 
people do everything as OS super-user). If you do this in a script, 
you probably put the password there as well. If someone sees the 
script, they now know the directory super user password. Of 
course even if you don't bind as directory super-user, the password 
for whomever you're binding as is still stored in the script.

3) Use of simple bind as authentication, in particular over non-
encrypted networks (that's easy to fix, just run everything over SSL 
;).

4) directory dump (e.g. db2ldif) dumps entire data out as plaintext (i 
guess you could do this to an encrypted filesystem or encrypt with 
pgp afterwards) this file can contain senstive information.

5) replication can occur over plaintext. security policy (e.g. ACLs) 
not guranteed to be shared between systems (ACL are not 
standardized)

Probably the biggest risk factor is number 2 (passwords stored in 
scripts). However, that's a risk not limited to LDAP, it goes for any 
script that is used to automate operations on a database. 

Also I didn't count in things that really aren't protocol specific such 
as problems with server software (e.g. buffer overflows), attacks 
from the OS/network level or simply leveraging people (or perhaps 
using the actual directory data to launch a social engineering 
attack against the organization. The latter is why I'm not for 
publicly publishing the directory). 

I'd say LDAP isn't any more vulnerable than any other protocol and 
that its benefits (in particular its potential use to improve the overall 
security of your organization), outweigh its security implications, 
but security is all about managing risk. How you manage that risk 
is what differentiates a secure organization from an insecure one. 
But then again, how well you manage risk overall is what seperates 
a successful company from a failed company.

Mark

On 6 Feb 01, at 2:18, Chris Ridd wrote:

> "Lambright, Linda (N-Averstar)" <lin...@lm...> wrote: >
> Thought I should resend this with the right title > >> ---------- >>
> From: 	Lambright, Linda (N-Averstar)[SMTP:lin...@lm...] >>
> Sent: 	Monday, February 05, 2001 4:38 PM >> To: 	Tom Jordan; 'Mark
> Wilcox' >> Cc: 	per...@li... >> Subject: 	RE:
> dynamic groups >> >> I need to write an explaination of the "security
> risks of ldap".  I have >> found it very difficult to find a good
> explaination of this anywhere and >> was >> wondering if anyone could
> point me at a good explaination. >> >> Thank you.
> 
> You could make a start by looking at all the "Security Considerations"
> in the LDAP RFCs.
> 
> They're probably what you'd expect of a system that stores sensitive
> personal information in a network database that is basically accessed
> in the clear. There is a standard mechanism (TLS) to encrypt the data
> in transit. There are no standards for pure-LDAP-only servers defining
> how to control access to the data, so that's an issue too.
> 
> Cheers,
> 
> Chris
> 
> 
> 


Mark Wilcox
ma...@mj...
Got LDAP?