©Copyright 1999 Peter Shipley LDAP Security Peter Shipley Chief Security Architect [email protected] +1 650 404 3292.

©Copyright 1999 Peter Shipley

LDAP Security

Peter ShipleyChief Security Architect

[email protected]

+1 650 404 3292


Outline

What is a LDAP Why do we need LDAP What uses dose it have What are the potential dangers Methods of attacks


What Is a LDAP

X.500 is a model for Directory Services in the OSI model. The DAP (Directory Access Protocol) runs over the OSI network protocol stack.It’s fairly "heavyweight".

Therefore, University of Michigan developed the "lightweight” version of DAP and called it LDAP.


What Is a LDAP

A directory is essentially a database but tends to contain more descriptive, attribute based information. The information in an LDAP directory tends to be read more than it is written so LDAP has been designed to be more read-optimized


What kind of information can be stored in the directory?

The LDAP directory service model is based on entries. An entry is a collection of attributes that have a name, called a DN (distinguished name).


What kind of information can be stored in the directory?

The DN is used to refer to the entry unambiguously. Each of the entry's attributes has a type and one or more values. The types are typically mnemonic strings, like "cn" for common name, or "mail" for email address. The values depend on what type of attribute is it.


What Operating Systems support it ?

Since many of these packages come with source, its really available underany operating system.


What software is out there

OPENLDAP UMICH's original LDAP server Netscape Directory Server Sun's LDAP server

and even Microsoft is jumping on the LDAP bandwagon with Win2000 and Active Directory


What applications are there

Not only are there are a lot of servers out there, there are also a lot of applications that are LDAP-enabled.

Being LDAP-enabled essentially means that the application is able to retrieve information via LDAP.


What applications are there

Examples of LDAP-enabled applications would be:

Netscape Messaging Server Netscape Calendar Sun's SIMS mail server sendmail (with ldapx extensions)


What are people using LADP for?

Personal directory services Mail routing login / password authentication PKI IP address distribution (linking with the

DNS and DHCP protocols)


What are people using LADP for

Because of the push for centralization of information, don't be surprised if nearly every new network application that comes to market in the near future will support LDAP.


What are people using LADP for

Within companies like Intel and Motorola, which are based around X.500 and DAP, there is a big push for having DAP->LDAP gateways put in place and, ultimately, relying on LDAP for everything.

This includes HR records, badging systems, etc.


What are the Dangers?

Eggs in one basket

New/Untested technology

Inexperienced administrators / contractors

History repeating itself (YP/NIS, DNS (v2), “Registry” services etc..)



Because of DAP being in a lot of places, there are very insecure and poorly coded DAP->LDAP gateways out there.

Default permissions for LDAP are very insecure. (ACL's etc)

Single "control all" Directory Manager user that, in all of the current API's, is there in plain text. Very little work on real authentication methods.



Code exploits are already being discovered and published.

DOS attacks are coming into use• Flooding the server with (simple) queries• Flooding the server with (expensive

operations) The service is only as secure as the server it

runs on.



Data Harvesting• Spammers harvesting email addresses• System crackers harvesting account names and

passwords Data Modification

• There are no automated data/content integrity auditing tools (yet)

• Commercial auditing products to not address LDAP (yet)


How one can locate a LDAP server

portscan:

nmap -P0 -p 636,389 192.168.0.0/24

Firewalling the best protection as does log monitoring.



DNS:

SVR records (rfc 2052)

ldap.<domain>.com

companies seem to name servers after there purpose

A large number of sites are beginning to use rfc 2052



Referals:

URLs and x.500 server links

By doing a file tree walk a “bot” can search and locate external referrals for later data harvesting


How Bad is it?

A random survey of ldap enabled sites on the Internet found a relatively large number had sensitive information available via anonymous authentication.


How Bad is it?

The same survey of ldap enabled sites on the Internet found a relatively large number did not utilize SSL secured connections. And thus utilized “simple Passwords” as a primary authentication method.

Do to the high transaction speed of LDAP servers one can attempt a dictionary attack with relatively high speed.


How Bad is it?

Data found on such systems were email access passwords (cleartext), Full usernames and semi-personal info such as office and home phone numbers, postal addresses, employee status, encrypted login passwords.

This personal information led to the speedy cracking of most of the encrypted login passwords.


What can be done

Use strong authentication.

Dedicate a server (don’t bundle services )


What can be done

LDAP generally comes with several authentication methods for securing data:• Anonymous Authentication• Simple Passwords• SSL (with simple passwords)• SSL (with certificate authentication)• Kerberos


Anonymous Authentication

This method of authentication refers to non-authenticated connections and is useful for data making non-restricted data available (e.g.: phone/office numbers, finger information, et el.)


Simple Passwords

This authentication method relies on the use of simple clear-text passwords (similar to telnet).

This is considered the most insecure authentication method, is it also the most used.


SSL (with simple passwords)

This authentication method relies on the use of simple passwords over a secured/encrypted link).

This is a most secure authentication method, but it is also simple to attack with brute force methods.


SSL (with certificate authentication)

This is one of the more secure methods since the user cryptographically authenticates themselves with a digital certificate.

The down point for this method is cost and scalability.


Kerberos

Kerberos is also a certificate based authentication scheme, that provides for scalability as well as cost effective.

Kerberos can be the most complex to setup.


Other References

“Understanding and Deploying LDAP Directory Services”Howes, Smith and Good, ISBN 1-57870-070-1

“LDAP Programming Directory-Enabled Application with Lightweight Directory Access Protocol”Howes and Smith, ISBN 1-57870-000-0`


Other References

http://www.geek-girl.com/bugtraq• Bugtraq searchable archives

RFC 2052 - “A DNS RR for specifying the location of services” - Paul Vixie

LDAP related RFCs 1777-1779 and 2251-2256

RFC 2222 - “Simple Authentication and Security Layer”


LDAP Security

Peter ShipleyChief Security Architect

[email protected]

+1 650 404 3292

©Copyright 1999 Peter Shipley LDAP Security Peter Shipley Chief Security Architect [email protected] +1 650 404 3292.

Documents