Bug 29482 - Berechtigungen via GSSAPI
Berechtigungen via GSSAPI
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 3.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Florian Best
Arvid Requate
: interim-1
Depends on:
Blocks: 46862 8568 25830 39877
  Show dependency treegraph
 
Reported: 2012-11-30 09:46 CET by Stefan Gohmann
Modified: 2018-04-21 08:03 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
Fix GSSAPI for slapd (2.41 KB, patch)
2013-10-25 17:23 CEST, Philipp Hahn
Details | Diff
patch (2.61 KB, patch)
2015-08-21 15:48 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2012-11-30 09:46:47 CET
Mit einem Kerberos Ticket als Administrator kann ich auf einem 3.0 / 3.1 System nicht als Administrator am LDAP Operationen durchführen:

Administrator@master411:~$ kinit Administrator
Administrator@DEADLOCK41.LOCAL's Password: 
Administrator@master411:~$ ldapadd -Y GSSAPI -f x
SASL/GSSAPI authentication started
SASL username: Administrator@DEADLOCK41.LOCAL
SASL SSF: 56
SASL data security layer installed.
adding new entry "cn=users2,dc=deadlock41,dc=local"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

Administrator@master411:~$ ldapsearch -Y GSSAPI uid=Administrator -LLL uid userPassword
SASL/GSSAPI authentication started
SASL username: Administrator@DEADLOCK41.LOCAL
SASL SSF: 56
SASL data security layer installed.
dn: uid=Administrator,cn=users,dc=deadlock41,dc=local
uid: Administrator

Administrator@master411:~$
Comment 1 Philipp Hahn univentionstaff 2013-10-25 17:01:59 CEST
This was broken by disabling anonymous bind:

# man slapd.conf
> Note that this search is subject to access controls. Specifically, the
> authentication identity must have "auth" access in the subject.

# man slapd.access
> Some internal operations and some controls require specific access
> privileges. The authzID mapping and the proxyAuthz control require auth (=x)
> privileges on all the attributes that are present in the search filter of the
> URI regexp maps (the right-hand side of the authz-regexp directives). Auth
> (=x) privileges are also required on the authzTo attribute of the authorizing
> identity and/or on the authzFrom attribute of the authorized identity. In
> general, when an internal lookup is performed for authentication or autho‐
> rization purposes, search-specific privileges (see the access requirements
> for the search operation illus‐ trated above) are relaxed to auth.

# kinit Administrator
# ldapwhoami 2>/dev/null
dn:uid=administrator,cn=gssapi,cn=auth

# sed -i 's/sasl-regexp/authz-regexp/' /etc/univention/templates/files/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master
# echo "  by anonymous auth" >>/etc/univention/templates/files/etc/ldap/slapd.conf.d/70univention-ldap-server_acl-master-end
# ucr commit /etc/ldap/slapd.conf
# /etc/init.d/slapd restart
# ldapwhoami 2>/dev/null
dn:uid=administrator,cn=users,dc=phahn,dc=dev

# ldapadd -Y GSSAPI <<__LDIF__
> dn: ou=test,dc=phahn,dc=dev
> objectClass: organizationalUnit
> ou: test
> __LDIF__
adding new entry "ou=test,dc=phahn,dc=dev"


Also see Bug #20051 comment 5
Comment 2 Philipp Hahn univentionstaff 2013-10-25 17:23:44 CEST
Created attachment 5534 [details]
Fix GSSAPI for slapd
Comment 3 Philipp Hahn univentionstaff 2013-10-25 18:35:17 CEST
It would be nice to restrict the "auth" access to something like »by dn.subtree="cn=gssapi,cn=auth" auth«, but it doesn't seem to work in my tests. It always fails for (with "loglevel acl" enabled):
  => acl_mask: access to entry "dc=phahn,dc=dev", attr "entry" requested

Alternativle the following rule should be added right before "access to *":

access to dn.subtree="dc=phahn,dc=dev" attr=entry,uid
   by anonymous auth


For quick testing:
# /etc/init.d/slapd stop
# echo "URI ldap://localhost:7390" >~/ldaprc
# /usr/sbin/slapd -h ldap://:7390/ -d acl & pid=$! ; sleep 1 ; ldapwhoami ; kill $pid ; wait
Comment 4 Florian Best univentionstaff 2015-08-21 15:48:12 CEST
Created attachment 7127 [details]
patch

Here is a new patch. I could not add an entry with slapadd like in comment #0 so I don't apply this patch now (It seems to still work everything).
Comment 5 Florian Best univentionstaff 2015-09-01 14:01:13 CEST
This is required for SAML authentication to work, too.
Comment 6 Florian Best univentionstaff 2015-09-01 14:44:26 CEST
univention-ldap (12.1.1-1):
r63371 | Bug #29482: fix permissions for SASL bind via kerberos (GSSAPI) and SAML
Comment 7 Arvid Requate univentionstaff 2015-09-14 14:49:39 CEST
From https://tools.ietf.org/html/rfc2255 I assume that you should URL-encode the LDAP-URLs, e.g. to encode base DNs containing spaces.
Comment 8 Philipp Hahn univentionstaff 2015-09-14 15:03:46 CEST
(In reply to Arvid Requate from comment #7)
> From https://tools.ietf.org/html/rfc2255 I assume that you should URL-encode
> the LDAP-URLs, e.g. to encode base DNs containing spaces.

ldap_base is not properly encoded in *any* of the /etc/univention/templates/files/etc/ldap/slapd.conf.d/* files, so currently you're doomed if you want to use LDAP-URL special characters.
AFAIK a new bug should be filed to fix that mess, but don't misuse this bug.
Comment 9 Florian Best univentionstaff 2015-09-15 08:54:02 CEST
(In reply to Philipp Hahn from comment #8)
> (In reply to Arvid Requate from comment #7)
> > From https://tools.ietf.org/html/rfc2255 I assume that you should URL-encode
> > the LDAP-URLs, e.g. to encode base DNs containing spaces.
> 
> ldap_base is not properly encoded in *any* of the
> /etc/univention/templates/files/etc/ldap/slapd.conf.d/* files, so currently
> you're doomed if you want to use LDAP-URL special characters.
> AFAIK a new bug should be filed to fix that mess, but don't misuse this bug.Bug #39345
Comment 10 Arvid Requate univentionstaff 2015-09-30 20:37:32 CEST
Ok works. The "by * +0 break" is nice. Not very intuitive though ;-)

Changelog is ok too.
Comment 11 Stefan Gohmann univentionstaff 2015-11-17 12:12:24 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".