Certificate validation for LDAPS

[Vitaly N.]

Hi Marc,

Have you considered if it's possible to validate the certificate when using ldaps? 

By chance I noticed I had a typo in the certificate my LDAP server was serving making neither CN nor any SAN match the domain name of the LDAP server. Despite that, tac_plus-ng (using ldapmavis-mt) happily made the connection. This could open a potential MITM attack vector.

Let me know if any config samples or debug log would be helpful.

Thanks!

[Marc Huber]

Hi Vitaly,

I'll have a look at that when time permits. I'd figure that proper
certificate handling would just require a couple of ldap_set_option()
API calls.

Thanks,

Marc

> This message (including any attachments) contains confidential
> information intended for a specific individual and purpose, and is
> protected by law. If you are not the intended recipient, you should
> delete this message and are hereby notified that any disclosure,
> copying, or distribution of this message, or the taking of any action
> based on it, is strictly prohibited. --
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/event-driven-servers/1e0de0d6-dcd0-4ae4-b70b-7d2554c3cbc8n%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/1e0de0d6-dcd0-4ae4-b70b-7d2554c3cbc8n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Marc Huber]

Hi Vitaly,

commit fc4574cfa5e96d228e8e9dd8f45432899bc4e7c9 adds support for several
LDAP_OPT_X_TLS_* environment variables. Setting these should suitably
should grant some control over the cert validation progress.

Untested, of course.

Cheers,

Marc

[Vitaly N.]

Thanks Marc. Does this config snippet look right?

#!/usr/local/sbin/tac_plus-ng

id = spawnd {
    listen = {
        port = 49
    }
    background = yes
debug = ALL
}

id = tac_plus-ng {
debug redirect = /var/log/tac_plus-ng/debug.log

    log accesslog { destination = /var/log/tac_plus-ng/access/%Y%m%d.log }
    log authzlog { destination = /var/log/tac_plus-ng/auth/%Y%m%d.log }
    log acctlog { destination = /var/log/tac_plus-ng/acct/%Y%m%d.log }

    access log = accesslog
    authorization log = authzlog
    accounting log = acctlog

mavis module = external-mt {
        setenv LDAP_SERVER_TYPE = "generic"
        setenv LDAP_HOSTS = "ldaps://my.duo.authproxy.local:636"
        setenv LDAP_BASE = "cn=users,cn=accounts,dc=my,dc=domain"
        setenv LDAP_BASE_GROUP = "cn=groups,cn=accounts,dc=my,dc=domain"
        setenv LDAP_USER = "uid=tacacsuser,cn=users,cn=accounts,dc=my,dc=domain"
        setenv LDAP_PASSWD = "ldap_password"
        setenv LDAP_MEMBEROF_FILTER = "^cn=(tacacs[^,]+),.*"
        setenv LDAP_OPT_X_TLS_REQUIRE_SAN = LDAP_OPT_X_TLS_HARD
        exec = /tacacs/sbin/ldapmavis-mt
    }

    login backend = mavis
    user backend = mavis
    pap backend = mavis
    mavis noauthcache
    authentication fallback = yes

I couldn't get it to work with an incorrect cert (CN/SAN wrong). Even setting LDAP_OPT_X_TLS_REQUIRE_SAN = LDAP_OPT_X_TLS_NEVER I was expecting to see an error message, but didn't see one. 

It could definitely be user error, let me know if you spot something I'm doing wrong. Unfortunately I won't have time until next week to play with it more.

Best,
Vitaly

[Marc Huber]

Hi Vitaly,

I actually didn't test that code but just mapped whatever the man page
implied as reasonable, so I'm guessing:

For a successful cert validation you'll likely need to set
LDAP_OPT_X_TLS_CACERTFILE (or LDAP_OPT_X_TLS_CACERTDIR) and possibly
LDAP_OPT_X_TLS_REQUIRE_CERT, too.

Cheers,

Marc

<snip>