Univention Bugzilla – Bug 43459
Make bind9 LDAP queries use TLS
Last modified: 2019-05-13 09:24:50 CEST
When using LDAP backend for DNS, the zone configurations talk unencrypted to LDAP. Some contributing points: * the x-tls option is not mandatory, so Bind does not try STARTTLS * Setting ldap/server/port to 7636 does not help because there's currently no variable to set the protocol ('ldap://' hardwired in the listener script) * changing x-tls to !x-tls (critical extension) throws a Bind error 'URL: unknown critical extension' I'd propose to make the listener script generate an ldaps:// URI when the port is set to 7636. Or somebody knows how to make the URL in zone files look like to force it into using STARTTLS? Note the problem is not critical as long as Bind talks to the local LDAP instance. But given the possibility to install Bind on all server roles there would be the chance for machine credentials to be revealed.
The UDL module "services/univention-bind/bind.py" always adds "x-tls" to the URI. This triggers "bind9-ldap/ldapdb.c:168" to call ldap_start_tls_s(), but it does NOT check the return value for errors - so the connection remains unencrypted. There also is no CA/CRL checking as none of the LDAP_OPT_X_TLS_* options are set, so BIND will connect to ANY server which at least provides a (random) certificate. To re-produce this, disable TLS in slapd and trigger a BIND reload; this will hapil sed -i -e '/^TLS/s/^/#/' /etc/ldap/slapd.conf serivce slapd restart tcpdump -i lo 'tcp port 7389' -s 65535 -w /tmp/pcap & rndc -p 55555 reload `dnsdomainname` This will show that BIND9 sends the bind credentials unencrypted.
Created attachment 8781 [details] Assert encrypted connection Similar to ldaptools -ZZ
By default univention-bind is only installed on UCS roles running OpenLDAP, so the connection is to localhost - on my test system <ldap://127.0.0.1/> is used which is the default in "/usr/lib/univention-directory-listener/system/bind.py" unless UCRV "bind/ldap/server/ip" is explicitly set to some other value - by default this is unset. (But using an IP address breaks checking the hostname of the certificate) So this issue is only for systems where the package univention-bind is manually installed on a Member Server.