lists.arthurdejong.org
RSS feed

Re: nslcd: passwords in clear text even if TLS is configured

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd: passwords in clear text even if TLS is configured



Hi Artur,

the line

"ldap_start_tls_s()"

is not prensent. The nslcd -d command gives the following output:

sitti>~ #nslcd -d
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.12
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,demand)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/rwfs/ca/ca.crt")
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid root
nslcd: DEBUG: CFG: gid 0
nslcd: DEBUG: CFG: uri ldap://nodo-1.labsecurity.local
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: base dc=labsecurity,dc=local
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectClass=posixAccount)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: pam_authc_ppolicy yes
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl start_tls
nslcd: DEBUG: CFG: tls_reqcert demand
nslcd: DEBUG: CFG: tls_cacertfile /rwfs/ca/ca.crt
nslcd: DEBUG: CFG: tls_reqsan allow
nslcd: DEBUG: CFG: tls_crlcheck none
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_uid_offset 0
nslcd: DEBUG: CFG: nss_gid_offset 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: pam_authc_search BASE
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: version 0.9.12 starting
nslcd: DEBUG: initgroups("root",0) done
nslcd: DEBUG: setgid(0) done
nslcd: DEBUG: setuid(0) done
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: accepting connections

As I wrote before, in the nslcd.conf file I set the following parameters:

ssl start_tls
tls_reqcert demand
tls_cacertfile /rwfs/ca/ca.crt

Can you please help me to point in the right direction?

Thank you.

Andrea

Il 05/03/2022 13:36, Arthur de Jong ha scritto:
Hi Andrea,

Thanks for reporting this.

On Thu, 2022-03-03 at 12:39 +0100, Andrea Sighinolfi wrote:
The problem is that if I monitor the packet with a packet sniffer
(Wireshark), I can see a simple bindRequest with the user password in
clear text is performed before starting to communicate with TLS.
Can you start nslcd manually as "nslcd -d" and report the
authentication part of the output? I would expect a
"ldap_start_tls_s()" line to be present in the output. Can you also
report the fist bit that dumps the config?

Kind regards,

--

Ing. Andrea Sighinolfi

R&D


SITTI S.p.A.
Via Cadorna, 73
20055 Vimodrone (MI) - ITALY

Phone +39.02.2507121
Mobile +39.xxxxxxxxx

Email:  andrea.sighinolfi [at] sitti.it
Website: www.sitti.it

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

IT: Questo messaggio viene inviato in osservanza al Reg. UE 2016/679. Le ricordiamo che in qualunque momento potrà esercitare i diritti ivi previsti, tra i quali il diritto di conoscere e/o accedere ai dati personali, chiederne la rettifica e l’aggiornamento, chiederne la cancellazione qualora la raccolta sia avvenuta in violazione di legge o regolamento, nonché il diritto di opporsi al trattamento per motivi legittimi e specifici. Potrà inoltre chiedere la trasformazione in forma anonima dei dati personali ed il blocco dell’uso degli stessi ai fini di invio di materiale pubblicitario o vendita diretta o per il compimento di ricerche di mercato o comunicazione commerciale. Per esercitare tali diritti, contattare il titolare del trattamento dei dati: S.I.T.T.I. SpA - Via Cadorna 73 - 20090 Vimodrone (MI) - tel.022507121 - email sitti [at] sitti.it EN: This message is sent in compliance with EU Reg. 2016/679. We remind you that at any time you can exercise your rights therein, including the right to know and/or access personal data, to request their rectification and updating, to request their cancellation if the collection occurred in violation of the law or regulation , as well as the right to oppose the processing for legitimate and specific reasons. You may also request the transformation of personal data into anonymous form and the blocking of sending advertising material or direct sales or for carrying out market research or commercial communication. To exercise these rights, contact S.I.T.T.I. SpA - Via Cadorna 73 - 20090 Vimodrone (MI) - tel.022507121 - email sitti [at] sitti.it

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------