Univention Bugzilla – Bug 43425
Disable simple_bind over unencrypted ldap://$HOST:[7]389
Last modified: 2021-12-21 14:36:09 CET
OpenLDAP still accepts Simple-BIND over unencrypted ldap://$HOST:[7]389 connections: ldapwhoami -H ldaps://$(hostname -f):7636 -D uid=Administrator,cn=users,$(ucr get ldap/base) -w univention OKAY ldapwhoami -H ldap://$(hostname -f):7389 -D uid=Administrator,cn=users,$(ucr get ldap/base) -w univention NOT OKAY ldapwhoami -H ldap://$(hostname -f):7389 -Z -D uid=Administrator,cn=users,$(ucr get ldap/base) -w univention OKAY kinit Administrator ldapwhoami -H ldap://$(hostname -f):7389 -Y GSSAPI OKAY NAME='disable-unencrypted-simple-bind' DIR='/etc/univention/templates' CONF='/etc/ldap/slapd.conf' SUB="${CONF#/}.d/35${NAME}" INFO="${DIR}/info/${NAME}.info" printf "security simple_bind=56\n\n" >"${DIR}/files/${SUB}" printf "Type: subfile\nMultifile: ${CONF#/}\nSubfile: ${SUB#/}\n" >"$INFO" ucr register "${NAME}" service slapd restart
There is no option for /etc/ldap/ldap.conf do enable STARTTLS by default; you always have to specify "-ZZ" on the command line.
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
UCS still does have this vulnerability!