Package: openvpn-auth-ldap Version: 2.0.3-1 Severity: normal
Hi, I am using openLDAP with no anonymous access and TLS encryption. When openvpn-auth-ldap connects to the openLDAP server, it authenticates itself first and than uses STARTTLS to encrypt the connection. Because of this openLDAP resets the connection to anonymous. This is a security hole which needs to be fixed. This problem is explained on the authors page: http://code.google.com/p/openvpn-auth-ldap I fixed this problem in my source (explained in german on my blog http://h4des.org/blog/index.php?/archives/299-bugfix-openvpn-auth-ldap-Verschluesselung-bevor-Authentifizierung.html ) and tested it. In the file src/auth-ldap.m of the source you just need to replace the function connect_ldap() with this one: LFLDAPConnection *connect_ldap(LFAuthLDAPConfig *config) { LFLDAPConnection *ldap; LFString value; / Initialize our LDAP Connection / ldap = [[LFLDAPConnection alloc] initWithURL: [config url] timeout: [config timeout]]; if (!ldap) { [TRLog error: "Unable to open LDAP connection to %s\n", [[config url] cString]]; return nil; / Referrals / if ([config referralEnabled]) { if (![ldap setReferralEnabled: YES]) goto error; } else { if (![ldap setReferralEnabled: NO]) goto error; } / Certificate file / if ((value = [config tlsCACertFile])) if (![ldap setTLSCACertFile: value]) goto error; / Certificate directory / if ((value = [config tlsCACertDir])) if (![ldap setTLSCACertDir: value]) goto error; / Client Certificate Pair / if ([config tlsCertFile] && [config tlsKeyFile]) if(![ldap setTLSClientCert: [config tlsCertFile] keyFile: [config tlsKeyFile]]) goto error; / Cipher suite / if ((value = [config tlsCipherSuite])) if(![ldap setTLSCipherSuite: value]) goto error; / Start TLS / if ([config tlsEnabled]) if (![ldap startTLS]) goto error; / Bind if requested */ if ([config bindDN]) { if (![ldap bindWithDN: [config bindDN] password: [config bindPassword]]) { [TRLog error: "Unable to bind as %s", [[config bindDN] cString]]; goto error; } } return ldap; error: [ldap release]; return nil; } The only difference to the original function is, that this one first uses STARTTLS and then the bind request. I hope this helps you to fix this problem in the package. Regards sqall -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
