[ Index ] |
PHP Cross Reference of Unnamed Project |
[Summary view] [Print] [Text view]
1 =head1 NAME 2 3 Net::LDAP::Security - Security issues with LDAP connections 4 5 =head1 SYNOPSIS 6 7 none 8 9 =head1 DESCRIPTION 10 11 This document discusses various security issues relating to using LDAP 12 and connecting to LDAP servers, notably how to manage these potential 13 vulnerabilities: 14 15 =over 4 16 17 =item * 18 19 do you know that you are connected to the right server 20 21 =item * 22 23 can someone sniff your passwords/userids from the directory connection 24 25 =item * 26 27 can someone sniff other confidential information from the directory 28 connection 29 30 =back 31 32 B<Net::LDAP> provides ways to address these vulnerabilities: through the 33 use of LDAPS, or LDAPv3 and TLS, and/or the use of SASL. Each of these 34 will be explained below. 35 36 =head2 How does an LDAP connection work 37 38 A normal LDAPv2 or LDAPv3 connection works by the client connecting 39 directly to port 389 (by default), and then issuing various LDAP 40 requests like search, add, etc. 41 42 There is no way to guarantee that an LDAP client is connected to the 43 right LDAP server. Hackers could have poisoned your DNS, so 44 'ldap.example.com' could be made to point to 'ldap.hacker.com'. Or 45 they could have installed their own server on the correct machine. 46 47 It is in the nature of the LDAP protocol that all information goes 48 between the client and the server in 'plain text'. This is a term used 49 by cryptographers to describe unencrypted and recoverable data, so 50 even though LDAP can transfer binary values like JPEG photographs, 51 audio clips and X.509 certificates, everything is still considered 52 'plain text'. 53 54 If these vulnerabilities are an issue to, then you should consider the 55 other possibilities described below, namely LDAPS, LDAPv3 and TLS, and 56 SASL. 57 58 =head2 How does an LDAPS connection work 59 60 LDAPS is an unofficial protocol. It is to LDAP what HTTPS is to HTTP, 61 namely the exact same protocol (but in this case LDAPv2 or LDAPv3) 62 running over a I<secured> SSL ("Secure Socket Layer") connection to 63 port 636 (by default). 64 65 Not all servers will be configured to listen for LDAPS connections, 66 but if they do, it will commonly be on a different port from the normal 67 plain text LDAP port. 68 69 Using LDAPS can I<potentially> solve the vulnerabilities described 70 above, but you should be aware that simply "using" SSL is not a magic 71 bullet that automatically makes your system "secure". 72 73 First of all, LDAPS can solve the problem of verifying that you are 74 connected to the correct server. When the client and server connect, 75 they perform a special SSL 'handshake', part of which involves the 76 server and client exchanging cryptographic keys, which are described 77 using X.509 certificates. If the client wishes to confirm that it is 78 connected to the correct server, all it needs to do is verify the 79 server's certificate which is sent in the handshake. This is done in 80 two ways: 81 82 =over 4 83 84 =item 1 85 86 check that the certificate is signed (trusted) by someone that you 87 trust, and that the certificate hasn't been revoked. For instance, the 88 server's certificate may have been signed by Verisign 89 (www.verisign.com), and you decide that you want to trust Verisign to 90 sign legitimate certificates. 91 92 =item 2 93 94 check that the least-significant cn RDN in the server's certificate's 95 DN is the fully-qualified hostname of the hostname that you connected 96 to when creating the LDAPS object. For example if the server is 97 E<lt>cn=ldap.example.com,ou=My department,o=My companyE<gt>, then the 98 RDN to check is cn=ldap.example.com. 99 100 =back 101 102 You can do this by using the cafile and capath options when creating a 103 B<Net::LDAPS> object, I<and> by setting the verify option to 'require'. 104 105 To prevent hackers 'sniffing' passwords and other information on your 106 connection, you also have to make sure the encryption algorithm used 107 by the SSL connection is good enough. This is also something that gets 108 decided by the SSL handshake - if the client and server cannot agree 109 on an acceptable algorithm the connection is not made. 110 111 B<Net::LDAPS> will by default use all the algorithms built into your copy 112 of OpenSSL, except for ones considered to use "low" strength 113 encryption, and those using export strength encryption. You can 114 override this when you create the B<Net::LDAPS> object using the 115 'ciphers' option. 116 117 Once you've made the secure connection, you should also check that the 118 encryption algorithm that is actually being used is one that you find 119 acceptable. Broken servers have been observed in the field which 'fail 120 over' and give you an unencrypted connection, so you ought to check 121 for that. 122 123 =head2 How does LDAP and TLS work 124 125 SSL is a good solution to many network security problems, but it is 126 not a standard. The IETF corrected some defects in the SSL mechanism 127 and published a standard called RFC 2246 which describes TLS 128 ("Transport Layer Security"), which is simply a cleaned up and 129 standardized version of SSL. 130 131 You can only use TLS with an LDAPv3 server. That is because the 132 standard (RFC 2830) for LDAP and TLS requires that the I<normal> LDAP 133 connection (ie., on port 389) can be switched on demand from plain text 134 into a TLS connection. The switching mechanism uses a special extended 135 LDAP operation, and since these are not legal in LDAPv2, you can only 136 switch to TLS on an LDAPv3 connection. 137 138 So the way you use TLS with LDAPv3 is that you create your normal 139 LDAPv3 connection using C<Net::LDAP::new()>, and then you perform the 140 switch using C<Net::LDAP::start_tls()>. The C<start_tls()> method takes 141 pretty much the same arguments as C<Net::LDAPS::new()>, so check above for 142 details. 143 144 =head2 How does SASL work 145 146 SASL is an authentication framework that can be used by a number of 147 different Internet services, including LDAPv3. Because it is only a 148 framework, it doesn't provide any way to authenticate by itself; to 149 actually authenticate to a service you need to use a specific SASL 150 I<mechanism>. A number of mechanisms are defined, such as CRAM-MD5. 151 152 The use of a mechanism like CRAM-MD5 provides a solution to the 153 password sniffing vulnerability, because these mechanisms typically do 154 not require the user to send across a secret (eg., a password) in the 155 clear across the network. Instead, authentication is carried out in a 156 clever way which avoids this, and so prevents passwords from being 157 sniffed. 158 159 B<Net::LDAP> supports SASL using the B<Authen::SASL> class. Currently the 160 only B<Authen::SASL> subclasses (ie., SASL mechanism) available are 161 CRAM-MD5 and EXTERNAL. 162 163 Some SASL mechanisms provide a general solution to the sniffing of all 164 data on the network vulnerability, as they can negotiate confidential 165 (ie., encrypted) network connections. Note that this is over and above 166 any SSL or TLS encryption! Unfortunately, perl's B<Authen::SASL> code 167 cannot negotiate this. 168 169 =head1 SEE ALSO 170 171 L<Net::LDAP>, 172 L<Net::LDAPS>, 173 L<Authen::SASL> 174 175 =head1 ACKNOWLEDGEMENTS 176 177 Jim Dutton E<lt>jimd@dutton3.it.siu.eduE<gt> provided lots of useful feedback 178 on the early drafts. 179 180 =head1 AUTHOR 181 182 Chris Ridd E<lt>chris.ridd@isode.comE<gt> 183 184 Please report any bugs, or post any suggestions, to the perl-ldap mailing list 185 E<lt>perl-ldap@perl.orgE<gt>. 186 187 =head1 COPYRIGHT 188 189 Copyright (c) 2001-2004 Chris Ridd. All rights reserved. This program is 190 free software; you can redistribute it and/or modify it under the same 191 terms as Perl itself. 192 193 =cut
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated: Tue Mar 17 22:47:18 2015 | Cross-referenced by PHPXref 0.7.1 |