安全协议>> tls-bug-demo>> 返回
项目作者: derTobsch

项目描述 :
Demo project for the spring ldap issue https://github.com/spring-projects/spring-ldap/issues/430
高级语言: Shell
项目地址: git://github.com/derTobsch/tls-bug-demo.git
创建时间: 2017-01-20T16:20:14Z
项目社区:https://github.com/derTobsch/tls-bug-demo
开源协议:
下载


Demo Project to reproduce spring ldap issue #430

Issue: https://github.com/spring-projects/spring-ldap/issues/430
Merge Request: https://github.com/spring-projects/spring-ldap/pull/432

Big Thanks to https://github.com/zivis

What causes the bug

  • Groupsearch is used
  • Anonymous bind is allowed and can search through the directory tree
  • DefaultTlsDirContextAuthenticationStrategy is used for starttls

With DefaultTlsDirContextAuthenticationStrategy

Start a TLS connection and a lookup if the user cn=user is available.

  1. 588241ed conn=1011 fd=16 ACCEPT from IP=172.17.0.1:44150 (IP=0.0.0.0:389)
  2. 588241ed conn=1011 op=0 EXT oid=1.3.6.1.4.1.1466.20037
  3. 588241ed conn=1011 op=0 STARTTLS
  4. 588241ed conn=1011 op=0 RESULT oid= err=0 text=
  5. TLS: gnutls_certificate_verify_peers2 failed -49
  6. 588241ed conn=1011 fd=16 TLS established tls_ssf=128 ssf=128
  7. 588241ed conn=1011 op=1 BIND dn="" method=128
  8. 588241ed conn=1011 op=1 RESULT tag=97 err=0 text=
  9. 588241ed conn=1011 op=2 SRCH base="ou=People,dc=example,dc=org" scope=2 deref=3 filter="(cn=user)"
  10. 588241ed <= bdb_equality_candidates: (cn) not indexed
  11. 588241ed conn=1011 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
  12. 588241ee conn=1011 op=3 UNBIND
  13. 588241ee conn=1011 fd=16 closed

Empty dn=”” in 588241ee conn=1013 op=1 BIND dn="" method=128 forces an anonymous bind and allows the user the access with any password given

  1. 588241ee conn=1012 fd=16 ACCEPT from IP=172.17.0.1:44158 (IP=0.0.0.0:389)
  2. 588241ee conn=1012 op=0 EXT oid=1.3.6.1.4.1.1466.20037
  3. 588241ee conn=1012 op=0 STARTTLS
  4. 588241ee conn=1012 op=0 RESULT oid= err=0 text=
  5. TLS: gnutls_certificate_verify_peers2 failed -49
  6. 588241ee conn=1012 fd=16 TLS established tls_ssf=128 ssf=128
  7. 588241ee conn=1012 fd=16 closed (connection lost)
  8. 588241ee conn=1013 fd=16 ACCEPT from IP=172.17.0.1:44162 (IP=0.0.0.0:389)
  9. 588241ee conn=1013 op=0 EXT oid=1.3.6.1.4.1.1466.20037
  10. 588241ee conn=1013 op=0 STARTTLS
  11. 588241ee conn=1013 op=0 RESULT oid= err=0 text=
  12. TLS: gnutls_certificate_verify_peers2 failed -49
  13. 588241ee conn=1013 fd=16 TLS established tls_ssf=128 ssf=128
  14. 588241ee conn=1013 op=1 BIND dn="" method=128
  15. 588241ee conn=1013 op=1 RESULT tag=97 err=0 text=
  16. 588241ee conn=1013 op=2 SRCH base="ou=Groups,dc=example,dc=org" scope=1 deref=3 filter="(member=cn=user,ou=people,dc=example,dc=org)"
  17. 588241ee conn=1013 op=2 SRCH attr=cn objectClass javaSerializedData javaClassName javaFactory javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation
  18. 588241ee <= bdb_equality_candidates: (member) not indexed
  19. 588241ee conn=1013 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
  20. 588241ee conn=1013 op=3 UNBIND
  21. 588241ee conn=1013 fd=16 closed

With FixDefaultTlsDirContextAuthenticationStrategy

Start a TLS connection and a lookup if the user cn=user is available.

  1. 58824372 conn=1014 fd=16 ACCEPT from IP=172.17.0.1:44276 (IP=0.0.0.0:389)
  2. 58824372 conn=1014 op=0 EXT oid=1.3.6.1.4.1.1466.20037
  3. 58824372 conn=1014 op=0 STARTTLS
  4. 58824372 conn=1014 op=0 RESULT oid= err=0 text=
  5. TLS: gnutls_certificate_verify_peers2 failed -49
  6. 58824373 conn=1014 fd=16 TLS established tls_ssf=128 ssf=128
  7. 58824373 conn=1014 op=1 BIND dn="" method=128
  8. 58824373 conn=1014 op=1 RESULT tag=97 err=0 text=
  9. 58824373 conn=1014 op=2 SRCH base="ou=People,dc=example,dc=org" scope=2 deref=3 filter="(cn=user)"
  10. 58824373 <= bdb_equality_candidates: (cn) not indexed
  11. 58824373 conn=1014 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
  12. 58824373 conn=1014 op=3 UNBIND
  13. 58824373 conn=1014 fd=16 closed

Here happens a bind with user credentials in 58824373 conn=1015 op=1 BIND dn="cn=user,ou=People,dc=example,dc=org" method=128 which is the actual authentication and the user with wrong credentials can not log in

  1. 58824373 conn=1015 fd=16 ACCEPT from IP=172.17.0.1:44280 (IP=0.0.0.0:389)
  2. 58824373 conn=1015 op=0 EXT oid=1.3.6.1.4.1.1466.20037
  3. 58824373 conn=1015 op=0 STARTTLS
  4. 58824373 conn=1015 op=0 RESULT oid= err=0 text=
  5. TLS: gnutls_certificate_verify_peers2 failed -49
  6. 58824373 conn=1015 fd=16 TLS established tls_ssf=128 ssf=128
  7. 58824373 conn=1015 op=1 BIND dn="cn=user,ou=People,dc=example,dc=org" method=128
  8. 58824373 conn=1015 op=1 RESULT tag=97 err=49 text=
  9. 58824373 conn=1015 fd=16 closed (connection lost)

To Reproduce

  1. Import the ssl ca certificate used within the ldap docker container to your java keystore 
  1. sudo keytool -import -alias caopenldapdocker -file docker/certs/ca.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -trustcacerts
  1. Go into the docker/ directory and build the docker image with the name openldap
  1. docker build -t openldap .
  1. Start the docker container with the hostname ldap.example.org and add 127.0.0.2 ldap.example.org into your /etc/hosts
  1. docker run --hostname ldap.example.org --rm --name my-openldap-container -p 389:389 openldap
  1. Import the provided anonymous-bind.ldif into ldap
  1. docker exec my-openldap-container ldapadd -Y EXTERNAL -H ldapi:/// -f /container/service/slapd/assets/anonymous-bind.ldif
  1. Import the provided data-roles.ldif into ldap 
  1. docker exec my-openldap-container ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/data-roles.ldif -h ldap.example.org -ZZ
  1. Import the provided data-people.ldif into ldap. This will provide a user with user/user to login into the application
  1. docker exec my-openldap-container ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/data-people.ldif -h ldap.example.org -ZZ
  1. Use the DefaultTlsDirContextAuthenticationStrategy to login with the username user and every password you want to use in the src/main/java/org/tobsch/AuthenticationManagerConfiguration.java. It is activated by default in the demo project.
  1. If you want to check the solution provided in https://github.com/spring-projects/spring-ldap/pull/432 just use the FixDefaultTlsDirContextAuthenticationStrategy in AuthenticationManagerConfiguration.
Additional

You can query the ldap database with

  1. docker exec my-openldap-container ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin