[tech] Napoli authentication issues

Daniel Axtens danielax at gmail.com
Tue Nov 1 17:52:02 WST 2011


Hi all,

I noticed yesterday that Napoli allowed gui login by someone purporting to be a network user regardless of whether or not their password was correct. You could literally just type in a user name and hit enter twice and get in.

Turns out it's been a known problem with Lion since August: http://reviews.cnet.com/8301-13727_7-20098743-263/ldap-flaw-in-os-x-lion-opens-major-authentication-security-hole/

It's fixed in 10.7.2, but for some reason we were not seeing these updates in Software Update. I've manually downloaded and installed the update. The details of the issue (CVE-2011-3226) and the fix are in release notes http://support.apple.com/kb/HT5002 , pertinently:

==
Open Directory

Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1

Impact: A user may be able to log in without a password

Description: When Open Directory is bound to an LDAPv3 server using RFC2307 or custom mappings, such that there is no AuthenticationAuthority attribute for a user, an LDAP user may be allowed to log in without a password. This issue does not affect systems prior to OS X Lion.
==

Now, upgrading was only half the battle. The upgrade set up the mac's LDAP client to only bind to the server if it could bind with the best authentication available, or something - I really don't understand LDAP and all the magicks. 

Anyway, the upshot was that no-one could log in. I have fixed this by denying all the nifty authentication types, following the instructions in http://itsabicycle.com/2011/10/14/ldap-authentication-simple-binds-os-x-lion-1072/

I don't really understand what I've done but authentication takes place over SSL so I presume it is sufficiently secure. Afaict, everything just works now. Logins work with the correct passwords only, although they do seem to be a bit slow.

Big thanks to Ian McKellar for locating the source of the problem, [BOB] for securing user directories and other stuff in the interim, and [DAA] for his advice on LDAP/OpenDirectory: I couldn't have done it without you guys.

Yours,
[DJA]


More information about the tech mailing list