Re: [389-users] attribute to works same as a sequence number

[Andrey Ivanov]

Hi,

The attribute "entryusn" may be what you want (
http://www.port389.org/docs/389ds/design/entry-usn.html)

Regards,

2015-03-11 17:20 GMT+01:00 ghiureai :

> Hi 389 List,
>
> we have a need to use an existing attribute ( do not know wich
> one:nspentrydn ,nsbackendsufix) or create a new one use defined which will
> act similar as sequence number( integer values, incremental by 1 ,range
> values known) I understand we can not rely on nsUniqueId . Is there such an
> existing attribute in 389 , need to be unique , LDAP generate values with
> gap1 , range values can be controlled ?
> Isabella
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] GUI console and Kerberos

[Paul Robert Marino]

Ok so here is some progress
i manually added my user name and password in
/etc/dirsrv/admin-serv/admpw using the htpassword command
if i put cn= I get ldap error 32: No such object in the
admin server error log
but if i just put my username in it finds the entry and i get a
different error ldap error 48: Inappropriate authentication
this is making me wonder if saslauthd may help

On Wed, Mar 11, 2015 at 2:34 PM, Paul Robert Marino  wrote:
> I know it will probably be a little more complex than that but I think
> it logically should be one of the steps.
> although it doesn't explain how "cn=Directory Manager" works
> but it makes a lot of sense when you see the 401 error from the login
> attempt it comes from the directory specified by
> "
> 
> SetHandler user-auth
> AuthUserFile /etc/dirsrv/admin-serv/admpw
> AuthType basic
> AuthName "Admin Server"
> Require valid-user
> Order allow,deny
> Allow from all
> 
> "
> in /etc/dirsrv/admin-serv/admserv.conf
>
>
>
>
> On Wed, Mar 11, 2015 at 2:13 PM, Rich Megginson  wrote:
>> On 03/11/2015 11:54 AM, Paul Robert Marino wrote:
>>>
>>> Hey every one
>>> I have a question I know at least once in the past i setup the admin
>>> console so it could utilize Kerberos passwords based on a howto I
>>> found once which after I changed jobs I could never find again.
>>>
>>> today I was looking for something else and I saw a mention on the site
>>> about httpd needing to be compiled with http auth support.
>>> well I did a little digging and I found this file
>>> /etc/dirsrv/admin-serv/admserv.conf
>>>
>>> in that file I found a lot of entries that look like this
>>> "
>>> 
>>>AuthUserFile /etc/dirsrv/admin-serv/admpw
>>>AuthType basic
>>>AuthName "Admin Server"
>>>Require valid-user
>>>AdminSDK on
>>>ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin
>>>NESCompatEnv on
>>>Options +ExecCGI
>>>Order allow,deny
>>>Allow from all
>>> 
>>>
>>> "
>>> when I checked /etc/dirsrv/admin-serv/admpw sure enough I found the
>>> Password hash for the admin user.
>>>
>>> So my question is before I wast time experimenting could it possibly
>>> be as simple as changing the auth type to kerberos
>>> http://modauthkerb.sourceforge.net/configure.html
>>
>>
>> I don't know.  I don't think anyone has ever tried it.
>>
>>> keep in mind my Kerberos Servers do not use LDAP as the backend.
>>> --
>>> 389 users mailing list
>>> 389-users@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] GUI console and Kerberos

[Rich Megginson]

On 03/11/2015 11:54 AM, Paul Robert Marino wrote:

Hey every one
I have a question I know at least once in the past i setup the admin
console so it could utilize Kerberos passwords based on a howto I
found once which after I changed jobs I could never find again.

today I was looking for something else and I saw a mention on the site
about httpd needing to be compiled with http auth support.
well I did a little digging and I found this file
/etc/dirsrv/admin-serv/admserv.conf

in that file I found a lot of entries that look like this
"

   AuthUserFile /etc/dirsrv/admin-serv/admpw
   AuthType basic
   AuthName "Admin Server"
   Require valid-user
   AdminSDK on
   ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin
   NESCompatEnv on
   Options +ExecCGI
   Order allow,deny
   Allow from all


"
when I checked /etc/dirsrv/admin-serv/admpw sure enough I found the
Password hash for the admin user.

So my question is before I wast time experimenting could it possibly
be as simple as changing the auth type to kerberos
http://modauthkerb.sourceforge.net/configure.html


I don't know.  I don't think anyone has ever tried it.


keep in mind my Kerberos Servers do not use LDAP as the backend.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] LDAP allows null bases

[Ludwig Krispenz]

On 03/11/2015 03:04 PM, Rob Crittenden wrote:

Ludwig Krispenz wrote:

Hi,

in my opinion this is not a security issue, but a feature compliant to
the ldap rfcs. A server should expose a minimal set of information about
itself, eg supported controls, saslmechanisms, namingcontexts even to
anonymous users - and many applications rely on this.
If you really want to turn this off, you need to modify the aci for the
"dn:" entry

He might also want to look at nsslapd-allow-anonymous-access to disable
all anonymous access to the server. I agree that being able to read the
rootDSE probably isn't a big deal.

In RFC 4513 it explicitely states:

LDAP servers SHOULD allow all clients --
   even those with an anonymous authorization -- to retrieve the
   'supportedSASLMechanisms' attribute of the root DSE both before and
   after the SASL authentication exchange.  The purpose of the latter is
   to allow the client to detect possible downgrade attacks (see Section
   6.4 and [RFC4422], Section 6.1.2).




rob


Ludwig

On 03/11/2015 11:23 AM, Kay Cee wrote:

All clients connecting to our 389-ds server showed up this
vulnerability on the scan. How do I fix this on my 389-ds server?

LDAP allows null bases

Risk:High
Application:ldap
Port:389
Protocol:tcp
ScriptID:10722
Summary:
It is possible to disclose LDAP information.
Description :
Improperly configured LDAP servers will allow the directory BASE to be
set to NULL. This allows information to be culled without any prior
knowledge of the directory structure. Coupled with a NULL BIND, an
anonymous user can query your LDAP server using a tool such as
'LdapMiner'

Solution:
Disable NULL BASE queries on your LDAP server
CVSS Base Score : 5.0
Family name: Remote file access
Category: infos
Copyright: Copyright (C) 2000 John lampej_la...@bellsouth.net

Summary: Check for LDAP null base
Version: $Revision: 128 $



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Review 389-ds install/upgrade procedures and requisites on http://directory.fedoraproject.org/docs/389ds/download.html

[Robert Viduya]

Ok, I'll look into upgrading.  It sounds like I need to stop paying attention 
to the 389 website and just stick to Redhat's site for release information.

On Mar 9, 2015, at 8:01 PM, Rich Megginson  wrote:

> On 03/09/2015 05:54 PM, Rich Megginson wrote:
>> On 03/09/2015 04:44 PM, Robert Viduya wrote:
>>> 
 On Mar 9, 2015, at 5:30 PM, Noriko Hosoi  wrote:
 
 Hello,
 
 On 03/09/2015 02:18 PM, Robert Viduya wrote:
> I'm in the same boat.  We, as an enterprise, have standardized on RHEL6 
> as our OS, with RHEL7 only on the horizon.  Switching to either Fedora or 
> CentOS isn't an option.  But the only "official" 389 release for RHEL6 is 
> years old.
> 
> I reported a bug about a year ago, 47739, that's been fixed since 
> 1.2.11.26.  But only 1.2.11.15 is available for RHEL6.  So, yes, there's 
> at least one fix that we need that isn't available to us.  But really, 
> there's tons of bug fixes and features that have come out since then.  
> The longer we're held back, the harder it will be to get our user base to 
> adapt to all the new features once we do upgrade.
 The fix for the ticket 47739 is included in 389-ds-base-1.2.11.15-32 and 
 newer and released on October 13, 2014 for RHEL-6.6.
 
 Sorry about missing the announcement.  Could it be possible to upgrade 
 your RHEL6 bits to the latest 389-ds-base-1.2.11.15-50.el6?
 
>>> 
>>> Ok, so the EL6 dash releases have fixes for stuff that isn’t in the base 
>>> 1.2.11.15 release.  Is that detailed somewhere?  Yes, I can upgrade to -50, 
>>> but I and my managers would want to know what’s changed.
>> 
>> As a RHEL customer, you have access to the portal, so you can go to 
>> https://access.redhat.com/downloads/content/rhel---6/x86_64/168/389-ds-base/1.2.11.15-50.el6_6/x86_64/fd431d51/package
>>  and look at the changelog for the 389-ds-base package.  This has 
>> descriptions of the changes along with bugzilla bug number and sometimes 389 
>> trac ticket numbers.
>> 
>> There's probably some way to get a list of all errata for the 389-ds-base 
>> package in RHEL6, but I can't seem to find it.
> 
> Found it.  Unfortunately, it is not broken down by package.  But if you go to 
> this page and search for 389-ds-base you can find them.  The erratas have the 
> full documentation, bug/enhancement descriptions, and package versions.  
> https://rhn.redhat.com/errata/rhel-server-6-errata.html
> 
> For example, here is the latest errata released on March 5, 2015: 
> https://rhn.redhat.com/errata/RHSA-2015-0628.html
> 
>> 
>>> 
>>> 
>>> 
>>> --
>>> 389 users mailing list
>>> 389-users@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> 
>> 
>> 
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> 
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] LDAP allows null bases

[Rob Crittenden]

Ludwig Krispenz wrote:
> Hi,
> 
> in my opinion this is not a security issue, but a feature compliant to
> the ldap rfcs. A server should expose a minimal set of information about
> itself, eg supported controls, saslmechanisms, namingcontexts even to
> anonymous users - and many applications rely on this.
> If you really want to turn this off, you need to modify the aci for the
> "dn:" entry

He might also want to look at nsslapd-allow-anonymous-access to disable
all anonymous access to the server. I agree that being able to read the
rootDSE probably isn't a big deal.

rob

> 
> Ludwig
> 
> On 03/11/2015 11:23 AM, Kay Cee wrote:
>> All clients connecting to our 389-ds server showed up this
>> vulnerability on the scan. How do I fix this on my 389-ds server? 
>>
>> LDAP allows null bases
>>
>> Risk:High
>> Application:ldap
>> Port:389
>> Protocol:tcp
>> ScriptID:10722
>> Summary:
>> It is possible to disclose LDAP information.
>> Description :
>> Improperly configured LDAP servers will allow the directory BASE to be
>> set to NULL. This allows information to be culled without any prior
>> knowledge of the directory structure. Coupled with a NULL BIND, an
>> anonymous user can query your LDAP server using a tool such as
>> 'LdapMiner' 
>>
>> Solution:
>> Disable NULL BASE queries on your LDAP server
>> CVSS Base Score : 5.0
>> Family name: Remote file access
>> Category: infos
>> Copyright: Copyright (C) 2000 John lampej_la...@bellsouth.net
>> 
>> Summary: Check for LDAP null base
>> Version: $Revision: 128 $
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> 
> 
> 
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
> 

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users