LDAP draft-wahl-ldap-session
Michael Ströder
michael at stroeder.com
Mon Jun 29 10:56:38 CEST 2015
Michael Ströder wrote:
> Arran Cudbard-Bell wrote:
>> Any progress on the testing?
>>
>> I'll have to remove the code unless it's confirmed to be working.
>
> I was pretty busy during the last days. Please give me two more days.
I'm testing git v3.1.x 36e1b02e926df5cd75d4d548694401535c607ca9.
I'm simply using PAP with hashed passwords in LDAP attribute 'userPassword'
(EAP-TTLS with PAP in real life, simple PAP here).
Good, the search requests (conn=1044) contain the Session Tracking Control
(OpenLDAP logs):
2015-06-29T10:47:05.316040+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1
[IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SRCH
base="cn=radiusd,ou=services,dc=stroeder,dc=local" scope=2 deref=0
filter="(uid=michael-homelan)"
2015-06-29T10:47:05.316051+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1
[IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SRCH attr=userPassword
radiusControlAttribute radiusRequestAttribute radiusReplyAttribute
2015-06-29T10:47:05.316244+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1
[IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SEARCH RESULT tag=101
err=0 nentries=1 text=
It seems an additional LDAP connection conn=1045 is opened:
2015-06-29T10:47:05.317153+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 fd=23
ACCEPT from IP=127.0.0.1:53074 (IP=0.0.0.0:1390)
2015-06-29T10:47:05.317219+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0
BIND dn="uid=radiusd,ou=sys,dc=stroeder,dc=local" method=128
2015-06-29T10:47:05.324982+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0
BIND dn="uid=radiusd,ou=sys,dc=stroeder,dc=local" mech=SIMPLE ssf=0
2015-06-29T10:47:05.325582+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0
RESULT tag=97 err=0 text=
But now for checking the password there is no Session Tracking Control sent
along with the bind request (conn=1044, err=49 is ok because I deliberately
used a wrong password):
2015-06-29T10:47:05.325647+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=2
BIND anonymous mech=implicit ssf=0
2015-06-29T10:47:05.325697+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=2
BIND dn="uid=michael-homelan,cn=radiusd,ou=services,dc=stroeder,dc=local"
method=128
2015-06-29T10:47:05.330285+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=2
RESULT tag=97 err=49 text=
But especially the client's IP address is interesting when looking for
password brute-force attacks hence the Session Tracking control should also be
sent along with the bind request.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150629/a4b93f6f/attachment-0001.bin>
More information about the Freeradius-Users
mailing list