2

I have an (Open)LDAP Server running on a Debian system inside my LAN, and multiple systems running Linux Mint, configured as LDAP Clients.

Here is the content of my /etc/nsswitch.conf:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       ldap

My question is: What happens if the LDAP Server introduces user collisions (uid/username)? Can this be exploited to gain root access on the clients? Is the LDAP Server the single-point-of-failure in this regard? Can this be prevented?

I know I asked 4 questions, but all of them are on the same topic: "user collisions".

Thanks!

Radu Marinescu
  • 47
  • 7

2 Answers2

2
  • Collision with uid: If user A from LDAP and user B from /etc/passwd have the same UID, both can access the files of the other - effectively they are the same user.
  • Collision with username: When logging in, the first database will be queried. In your example, an LDAP user could not log in
  • Root exploit: If you have a UID collision and one of the users have sudo rights or something similar, the other user will have as well (as I said, they are effectively the same user).
  • LDAP is not the point of failure in this - you can even have multiple usernames with the same uid in just /etc/passwd. Preventing this means to make sure you have no collisions before connecting to LDAP and afterwards, only add users to LDAP, not to local files (except for service accounts). This is your responsibility and the system does not protect you in this case.
Sven
  • 98,649
  • 14
  • 180
  • 226
  • Very clear answer! I know I have to avoid collisions. But if some attacker gains access to the LDAP Server, is the security of the clients immediately compromised? Are there any measures I could take to protect the client systems? I am worried about some files owned by root (0400) on the client systems. – Radu Marinescu Jul 01 '19 at 13:09
  • Rephrased: Can an attacker who gains access to the LDAP Server, use collisions to gain root access to the client systems? How can I prevent/reduce the chances of that happening? – Radu Marinescu Jul 01 '19 at 13:22
  • If an LDAP server is compromised and will return a user with uid 0 (aka root) or a user with sudo rights, the attacker might be able to get control of a client system. You can prevent this with different methods - the easiest is to limit the uids the LDAP server is allowed to report to the client. As an example, you can configure your LDAP client to only allow uid>10000 and then make sure no user above this has sudo rights (and all local users are below that). How this is done depends on the connector used. – Sven Jul 01 '19 at 14:03
  • Thanks! Please add this to your answer for completeness, and I will mark it as accepted. – Radu Marinescu Jul 01 '19 at 14:20
0

What happens is that you get UID/GID numbers that are inconsistent across servers.

Situations:

  • A user/group can have multiple different UID/GID numbers across servers
  • The same UID/GID number can be used by multiple different users/groups across servers

Inconsistent UID/GID numbers across servers can cause several problems like issues with file ownership on NFS exports or issues with file ownership when swtching SAN storage / filesystems between servers.

You cannot successfully use a central user authentication system such as LDAP you do not have consistent UID/GID numbers.

So what you should do is gather information from all servers in order to establish:

  • number of unique users/groups across servers
  • number of conflicting UID/GID's
  • what is the user/group conflicting count per UID/GID
  • number of users/groups with multiple different UID/GID numbers across servers
  • a detailed breakdown of how many accounts the user/group has per server with each UID/GID

Basically, you make the big picture of everything. You prevent all problems by making a similar analysis with the above and taking measures to unify all of it.

As for the single point of failure part, you should check best practices like the ones listed here.

To secure your LDAP server, check this guide.

Also see related vulnerabilities.

Overmind
  • 3,076
  • 2
  • 16
  • 25
  • I do not currently have collisions. I am worrying about an eventual attacker gaining access to the LDAP Server. Does that increase the likelihood of gaining root access on the client systems? And how do I eliminate/reduce those chances? Thanks for that document! I will read it thoroughly. – Radu Marinescu Jul 01 '19 at 13:18
  • in that case, you should secure the server. I have added a quick guide for that. Also make sure you are protected against related vulnerabilities. – Overmind Jul 02 '19 at 05:36