Solved

LDAP Bind -  Major Security Issue?

Posted on 2011-03-18
7
1,093 Views
Last Modified: 2012-05-11
We have a server that is hosted outside of our state university network.  Currently we use SQL authentication to validate our patron's user accounts (thousands of accounts).  To more easily manage accounts we would like to tie into the campus LDAP server.  This requires that an LDAP bind be allowed from the server hosted outside our network.

Our campus IT department says this is a security issue and it is not allowed.   The organization that hosts the server is OCLC, a worldwide library cooperative that works with thousands of libraries all over the globe.  They are world renown, reputable and respected.

I want to fight for this bind to be allowed.  So my question is....Is this a security concern if the connection is properly configured and managed?
0
Comment
Question by:ULadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 35169517
Not that I'm a security guru, but I was of the impression that "world renown, reputable and respected" is all the more reason for a company to be a target--general users would be more likely to trust information coming from that source. That said, if OCLC were to become compromised, how would you guarantee that your network wouldn't become compromised given your intended setup?
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35171321
Looks like you need my advice. If you like giving plain-text passwords to the public then use LDAP binding. Consequently this is exactly what you would be doing along with having to allowing directory listing to be enabled.

Considering that there is LDAP SALS(Simple Authentification & Security Layer) for hashing your credentials using Digest-MD5,GSS-SPNEGO, or any other digest hash algorythem. Attempts to secure your credentials in this fashion is by far not a secure method and if your attempting to use LDAP bind in a multi-millionaire arena, be prepared to lose millions if some lucky skiddy gets ahold of that hash and loads his botnet with a distributed 6gig rainbow library. He will have it in no time flat.

If you don't believe me you can ask any other qualified System Penetration specialist or IT Security specialist's for there opinion. Best suggestion is to avoid using any operation that exposes your credentials in a plain text/weak encryption. If you can't find a pluggin that encrypts/decrypts in a more secure state like rijndael 586 then I would just give up on this fight.

0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35173145
Sometimes it takes a visual of this as well as a test application to demonstrate security. As stated above this would be a very bad idea to implement this in a business/confidential environment as I / Others could just sniff your traffic for User Credentials either on your network or remotely. If It was me It would be in a controlled environment showing you results of possible damage's resulting from such insecurity's in a report as compared to a real attacker who wouldn't be nearly as forgiving and understanding of your circumstances.


using System;
using System.Collections;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Diagnostics;
using System.Security.Cryptography.X509Certificates;
using System.Windows.Forms;
using System.Net;

namespace LDAPBind
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private string[] BindedConnect()
        {

            int i = 0;
            int intSearchScope = 0;
            string[] vals = null;
            string key = null;
            string strToDisplay = null;
            string strSearchBase = null;
            string strFilter = null;
            string strmsg = null;

            LdapConnection con = new LdapConnection(new LdapDirectoryIdentifier("LDAPserver.host.com:636", true, false));
            con.SessionOptions.SecureSocketLayer = true;
            // Just for testing purposes
            //string CertificateAddress = "Certificate.cer";
            //X509Certificate cert = new X509Certificate(CertificateAddress);
            //con.ClientCertificates.Add(cert);
            con.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback); 
            con.SessionOptions.QueryClientCertificate = new QueryClientCertificateCallback(ClientCallback);
            con.Credential = new NetworkCredential("cn=User,ou=partoftree,o=RootOfTree", "userspassword");
            // Reference: http://technet.microsoft.com/en-us/library/dd941832%28WS.10%29.aspx LDAP Signing
            con.AuthType = AuthType.Negotiate; // <--- this is Not clear-text compared to "Basic", but is still suseptible to forged attacks and bruteforce hash attacks.
            con.SessionOptions.SecureSocketLayer = true; // We are using Secure connections though this example.
            con.AuthType = AuthType.Anonymous;

            try
            {
                con.Bind();
                SearchRequest sr = new SearchRequest();
                SearchResultAttributeCollection srattcol = null;
                DirectoryAttribute srattrib = null;

                strSearchBase = ("ou=partoftree,o=RootOfTree");
                strFilter = ("cn=someuser*");
                sr.DistinguishedName = strSearchBase;
                sr.Filter = strFilter;
                sr.Scope = SearchScope.Subtree;
                SearchResponse srp = (SearchResponse)con.SendRequest(sr);
                SearchResultEntryCollection srecol = srp.Entries;
                foreach (SearchResultEntry srpe in srecol)
                {
                    srattcol = srpe.Attributes;
                    foreach (DictionaryEntry DE in srattcol)
                    {
                        key = DE.Key.ToString();
                        vals = (string[])(srpe.Attributes[key].GetValues(typeof(string)));
                        strToDisplay = strToDisplay + key + "," + vals[0] + "\r" + "\n";
                    }
                }

                this.TextBox1.Text = strToDisplay;
            }
            catch (Exception ex)
            {
                this.TextBox1.Text = ex.Message;
            }
        }

        private static SortedDictionary<DateTime, string> CertServer = new SortedDictionary<DateTime, string>();
        public static bool ServerCallback(LdapConnection connection,  X509Certificate certificate)
        {

            X509Certificate2 newCert = new X509Certificate2(certificate);
            LdapDirectoryIdentifier id = (LdapDirectoryIdentifier)connection.Directory;
            lock (CertServer)
            {
                // Sorted as [Certicate DateTime, Server]  
                CertServer.Add(newCert.NotAfter, id.Servers[0]);
            }
            Debug.WriteLine("Got server " + id.Servers[0]);
            return true;
        }

        public static X509Certificate ClientCallback(LdapConnection connection, byte[][] trustedCAs)
        {
            // Parse Client Certificate response
            LdapDirectoryIdentifier id = (LdapDirectoryIdentifier)connection.Directory;
            Debug.WriteLine("This Server CalledBack [{0}] with:", id.Servers[0]);
            Debug.Write(trustedCAs.ToString());
            return null;
        }

    }
}

Open in new window


Hopefully this will help change your opinion on LDAP Bind Security.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:ULadmin
ID: 35182384
Yes, Russell, I do need advice.  THAT IS WHY PEOPLE USE THIS SERVICE, OBVIOUSLY.   If I knew all the ins and outs of this I wouldn't need to ask the question, would I?

Sorry, you're response comes off a bit condescending to me.  Not uncommon, though.
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
ID: 35182987
No, not at all. What I am trying to explain is the security situation that you will be opening up for attackers using this method and that is why they are oppose this method. If it comes off as condescending to you I apologize as it was not intended in anyway to sound like that. I know you want this badly, but this will bring a gapping hole to the network and I know you don't want to be the cause of a incident.

Neither would I. It's really important not to use binding outside of your network without some kind of strong encryption layer. Best options are using a socks proxy that supports SSL and RSA encryption for its connection to and from that LDAP server using the bind method or make a custom transport layer using RSA X506 certificates for authentication using a certificate verify message where the client has the master secret key and sends that message back to the server to verify authenticity. All of these methods act a wrapper protecting the connection internally and externally. So if you can find a solution using either of those methods you can utilize the ldap bind.

0
 

Author Comment

by:ULadmin
ID: 35183416
Thank you Russell.  Maybe I am just having a bad day?  I will see if they can use the RSA X506 certs.  If not, I guess I'm out of luck....
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35183979
Make sure you emphasize on encryption over a remote tunnel. They should understand this without a problem. Good luck!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
Make the most of your online learning experience.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question