Important Access Control Modifications Recommended for Isode R4.0 Directory Server ------------------------------------------------------------------
An error in the Isode R4.0 Enterprise Directory Server's default Access Control configuration has been identified, which may affect servers configured to use Simple Authentication. This message defines the error, and describes the configuration modifications required.
The default Access Control configuration enables some simple authentication passwords to be accessible to unauthorized users. By default, it protects userPassword attributes used for simple authentication but not passwords configured via the Authcon mechanism for configuring simple authentication passwords.
Authcon-style configuration may be used for the authentication of DSP (chaining) and DISP (replication) associations, and also (more exceptionally) for authenticating individual Directory Client users over DAP and LDAP.
Directory Servers using authcon-style configuration may be identified by the presence of the object class 'commonAuthenticationInformation' in the Directory Server's own entry.
Although only some servers are affected, it is recommended that all administrators of Isode R4.0 Directory Servers should take measures to correct this error to prevent accidental future password exposure. Isode therefore advises that the configuration modifications described below are made to all Isode R4.0 Directory Servers.
This error has been fixed in Isode R4.1, which is scheduled for final release within the next four weeks.
Please address any inquiries concerning this issue to customer-service@isode.com.
Access Control Configuration Modifications
The password attributes used for Simple Authentication defined in the Authcon Schema (see section B.1.5 of IC-1107 V4.0) are inadequately protected against reading by unauthorized users. This is a security flaw. The only appropriate accessors of these values are the Directory Server itself (with read access) and the Directory Server's Manager (plus any others to whom administration privileges have been extended) (with modify access).
This may be addressed by using EDM to modify the ACI.
In order to address this problem, the prescriptiveACI in Access Control sub-entries which apply to the Directory Server's own entry should be modified to ensure that only the Directory Server itself may read the values. This may be done using EDM as follows:
Open the Directory Server for management;
Locate the access-control sub-entry immediately subordinate to the Directory Server's entry ("cn=ac-subentry", indicated by a 'keyhole' icon).
In that sub-entry:
1) select 'Modify prescriptive ACI...';
2) select the ACI item named 'deny read and search of userPassword (auto nn)'; (nn represents digits).
3) click on the 'Editor...' button;
4) select the 'Protected items' tab;
5) under 'These attributes: (including operational attributes)', cause the following list of attribute types to be Included:
dapInitiatorPassword (see note 1) dapRemoteInitiatorPassword dapRemoteResponderPassword (see note 1) dapResponderPassword dispInitiatorPassword dispRemoteInitiatorPassword dispRemoteResponderPassword dispResponderPassword dspInitiatorPassword dspRemoteInitiatorPassword dspRemoteResponderPassword dspResponderPassword ldapInitiatorPassword (see note 1) ldapRemoteInitiatorPassword ldapRemoteResponderPassword (see note 1) ldapResponderPassword (see note 1) userPassword (see note 2)Note 1: these attribute types are not currently meaningful to Authcon configuration, but it is conceivable that in the future that they may have a meaning; consequently, these attributes are included here. They may be omitted safely if size of prescriptive ACI is of more concern than a putative later re-edit of the ACI).
Note 2: userPassword is already Included: in this ACI Item.
6) Press OK
[ 6a) Optional step: On the 'Modify the prescriptive ACI for ac-subentry...' window, modify the item name to read 'passwords' instead of 'userPassword'. ]
7) Press OK (this causes the update to take effect)
The above procedure assumes that the default ACI has been unchanged. If different ACI has been set up, then the procedure will need to be adjusted; hopefully sufficient information has been provided to enable the administrator to determine how it should be modified.
Similarly, prescriptive ACI for any bilateral tables NOT subordinate to the Directory Server's entry also needs to be adjusted if they have been created. The above procedure can be applied to a suitable Access Control Administrative point.
Once the ACI has been modified, it is advisable to change authcon-configured passwords which may have been compromised. Since passwords are (intended to be) a shared secret between two parties, this may require coordination with administrators of peer Directory Servers and/or users.
Isode customers with access to the Bug-tracking database may inspect the source code status of this problem under Bug-IdRMDgf04090.
|
Servicio de Informática de la Universidad de Murcia - http://www.um.es/si
Última actualización: 22/06/99 |
