[Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't

Simo Sorce ssorce at redhat.com
Thu Sep 11 18:49:41 UTC 2014 

On Thu, 2014-09-11 at 20:28 +0200, Martin Kosek wrote:
> On 09/11/2014 05:37 PM, Simo Sorce wrote:
> > On Thu, 2014-09-11 at 17:03 +0200, Martin Kosek wrote:
> >> Hello,
> >>
> >> We have another important issue to resolve. Current FreeIPA 4.0.2 ACI settings
> >> cause older SSSD clients to fail as they get returned an LDAP deref call
> >> results without objectclass attribute and just with entryusn attribute. Details
> >> in https://fedorahosted.org/freeipa/ticket/4534. While I agree SSSD should be
> >> more tolerant in this case, it still breaks old clients which we should prevent.
> >>
> >> There are 2 ways how to fix I currently see:
> >>
> >> 1) Return objectclass for any entry, just like we do with operational attributes
> >>
> >> This would include adding "objectclass" to "System: Read Timestamp and USN
> >> Operational Attributes". However, I am rather cautious about this approach as
> >> even though objectclass does not usually carry a secret information, we could
> >> still leak some information about our DIT to unprivileged user.
> >
> > Our DIT is public and known, I see no problem.
> 
> I rather meant the LDAP tree and it's contents (custom groups, sudo rules, 
> roles, ...).
> 
> I did one more test and found out we cannot do this as it would undermine the 
> ACIs we have right now. As soon as objectclass is allowed globally, ldapsearch 
> returns every object even if no other attribute is returned:
> 
> # ldapsearch -h `hostname` -Y GSSAPI -b cn=pbac,dc=mkosek-fedora20,dc=test
> SASL/GSSAPI authentication started
> SASL username: host/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
> SASL SSF: 56
> SASL data security layer installed.
> ...
> # User Administrators, privileges, pbac, mkosek-fedora20.test
> dn: cn=User Administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test
> objectClass: top
> objectClass: groupofnames
> objectClass: nestedgroup
> ...
> 
> It would not show any more info before that, but even the list of permissions, 
> privileges and roles along with it's names is a leaked information.
> 
> 
> >> 2) Show objectclass+operational attributes in our Read ACIs
> >> Other way I see is to update *all* our Read permissions allowing reading
> >> objectclass attribute and also allow the chosen LDAP operational attribute.
> >> This would let the LDAP caller to always get either all these discussed
> >> attributes but none at all.
> >>
> >>
> >> Do we want to do this? Any other (better) idea how to approach it?
> >
> > I honestly am not sure I understand the distinction between 1 and 2, can
> > you provide the actual ACIs or a behavior example ?
> >
> > Simo.
> 
> Currently, our ACI allows reading entryusn in any LDAP entry. So user (SSSD) 
> running LDAP deref call gets entryusn from object it does not have a read 
> access to:
> 
> # ldapsearch -h `hostname` -Y GSSAPI -b 
> uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E 
> 'deref=memberof:objectclass,entryusn'
> SASL/GSSAPI authentication started
> SASL username: host/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
> SASL SSF: 56
> SASL data security layer installed.
> ...
> # memberof: <entryusn=845>;cn=replication administrators,cn=privileges,cn=pba
>   c,dc=mkosek-fedora20,dc=test
> 
> # memberof: <entryusn=75>;cn=add replication agreements,cn=permissions,cn=pba
>   c,dc=mkosek-fedora20,dc=test
> ...
> 
> This confuses SSSD (sees entryusn but does not see objectclass attribute) + may 
> give out some information we do not want to give out. Fortunately, bare 
> ldapsearch does not show anything:
> 
> # ldapsearch -h `hostname` -Y GSSAPI -b "cn=replication 
> administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test" entryusn
> SASL/GSSAPI authentication started
> SASL username: host/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=replication 
> administrators,cn=privileges,cn=pbac,dc=mkosek-fedora20,dc=test> with scope subtree
> # filter: (objectclass=*)
> # requesting: entryusn
> #
> 
> # search result
> search: 4
> result: 0 Success
> 
> # numResponses: 1
> 
> 
> The idea behind Option 1 was to add ACI to allow reading objectclass attribute 
> globally, for our entire tree. (as noted above, not an option).
> 
> The idea behind Option 2 was to:
> - remove global ACI allowing reading entryusn (System: Read Timestamp and USN 
> Operational Attributes)
> - update all our Read permissions to allow entryusn
> 
> Then for example, if user (SSSD) is allowed to read RBAC role objects, he would 
> not be able to read either objectclass or entryusn attributes. This means users 
> would be only allowed to read entryusn for objects that they can really read 
> (i.e. for objects where they can read at least objectclass).
> 
> Did that clarify the options?
> 
> Of course, there is still option 3) to close as wontfix and let older SSSDs be 
> incompatible with FreeIPA 4.0+.

No, 3 is definitely not on the table, I would rather do 1, but I guess 2
is the only good way for now ?

Simo.

More information about the Freeipa-devel mailing list