You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Emmanuel Lecharny <el...@gmail.com> on 2011/07/11 08:55:43 UTC
Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
I'm not sure it"s a good idea to setup a default session, at least to
admin. If we consider the normal (ie, not embedded) server, we don't set
any session, the default session is Anonymous (of course if allowed).
IMO, this might be a security breach too.
What was the rational for this modificatioon, Alex ?
On 7/10/11 11:23 PM, akarasulu@apache.org wrote:
> Author: akarasulu
> Date: Sun Jul 10 21:23:02 2011
> New Revision: 1144962
>
> URL: http://svn.apache.org/viewvc?rev=1144962&view=rev
> Log:
> session member should be reset to an admin session when the directory service is set
>
> Modified:
> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>
> Modified: directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
> URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java?rev=1144962&r1=1144961&r2=1144962&view=diff
> ==============================================================================
> --- directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java (original)
> +++ directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java Sun Jul 10 21:23:02 2011
> @@ -1286,5 +1286,6 @@ public class LdapCoreSessionConnection i
> {
> this.directoryService = directoryService;
> this.schemaManager = directoryService.getSchemaManager();
> + this.session = directoryService.getAdminSession();
> }
> }
>
>
>
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
Posted by Alex Karasulu <ak...@apache.org>.
On Tue, Jul 12, 2011 at 8:53 AM, Emmanuel Lécharny <el...@apache.org> wrote:
> On 7/12/11 2:21 AM, Alex Karasulu wrote:
>>
>> On Mon, Jul 11, 2011 at 9:55 AM, Emmanuel Lecharny<el...@gmail.com>
>> wrote:
>>>
>>> I'm not sure it"s a good idea to setup a default session, at least to
>>> admin.
>>> If we consider the normal (ie, not embedded) server, we don't set any
>>> session, the default session is Anonymous (of course if allowed). IMO,
>>> this
>>> might be a security breach too.
>>>
>>> What was the rational for this modificatioon, Alex ?
>>
>> First there was a big null pointer exception due to this not being
>> set. Second taking a big step back I thought about it and if I have a
>> handle on DirectoryService I can pretty much do anything anyway. If
>> I'm using CoreSessions and DirectoryServices I can use any kind of
>> session there's no security barrier there. So IMO there's no security
>> issue here to defaulting to an admin session.
>
> Make sense. I'm just wondering if we shouldn't mimic the way the LDAP server
> works by forcing the session to use an anonymous principal by default,
> instead of an admin one.
That might be better for consistency and also the safe road to take.
I shouldn't have used the term 'security issue',
> it's not really a problem in this case, what I had in mind is that if
> someone want to use a Admin session, it's probably better to require that he
> explicitly create such a session. Call it 'protection against stupid
> move'...
>
> PS : NPE ? ouch...
Yeah Kiran commented on that.
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
Best Regards,
-- Alex
Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
Posted by Emmanuel Lécharny <el...@apache.org>.
On 7/12/11 10:00 AM, Alex Karasulu wrote:
> On Tue, Jul 12, 2011 at 10:30 AM, Emmanuel Lecharny<el...@gmail.com> wrote:
>>
>> LDAP specify that you can do operation without being bound, and in this
>> case, the session will be anonymous. Defaulting to anonymous is then pretty
>> natural. Now, you may have something different in mind, can you elaborate ?
>> (Of course, the server might reject such operations done on a anonymous
>> session, and I can see that as a major issue if we default to anonymous)
> You're right we should either go anonymous or take the approach below
> which IMO is better. See below...
>
>>> We should require a bind to set the exact session.
>> That's an option : if the server reject anonymous operations, then
>> obviously, the user *must* bind. I would say that it *should* be the default
>> mode...
> So you're saying allow anonymous then if there is a failure then allow
> user to bind? Or by default force the user to bind?
I would say it's up to the user : the server may or may not allow
anonymous operation (it's a configuration thing), but usually, it's
probably a good idea for users to bind (using their credentials). So,
yes, force them to bind should not harm...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
Posted by Alex Karasulu <ak...@apache.org>.
On Tue, Jul 12, 2011 at 10:30 AM, Emmanuel Lecharny <el...@gmail.com> wrote:
> On 7/12/11 9:19 AM, Alex Karasulu wrote:
>>>
>>> rather than
>>>
>>> this.session = directoryService.getAdminSession(); in
>>> setDirectoryService())
>>>
>>> what we already know is that DS is available and user/app can do
>>> anything if has got access to, but more important is
>>> the usage from an app developer's POV, if I have a web app that allows
>>> users to connect to the server using LdapCoreSessionConnection
>>> then assigning admin session by default during initialization will be
>>> a serious security issue.
>>
>> LDAP applications rarely align their authorization schema with LDAP
>> security. Most applications just connect as admin and handle lookups
>> on behalf of their users.
>
> Yes. This is very true, and usually, because such apps are using a
> connection pool. It's also safe as it's protected (well, suposely protected)
> by the application : one can't access to this part unless already
> identified. Although I do think it's not necessarily a good idea, it's due
> to the fact it's costly to establish a physical connection. Now, one can
> still use an already existing connection, and bind with a different user,
> instead of using an admin session... Misconceptions are always spread very
> quickly, and are hard to fix...
>>
>> But I think you and Emmanuel both make a good case here. We need to
>> solve this better since some applications like the self service
>> applications we've spoken about writing might use direct LDAP
>> security. However I think we don't just go with an anonymous session
>> or a admin session. We need a means to make this decision better.
>
> LDAP specify that you can do operation without being bound, and in this
> case, the session will be anonymous. Defaulting to anonymous is then pretty
> natural. Now, you may have something different in mind, can you elaborate ?
> (Of course, the server might reject such operations done on a anonymous
> session, and I can see that as a major issue if we default to anonymous)
You're right we should either go anonymous or take the approach below
which IMO is better. See below...
>>
>> We should require a bind to set the exact session.
>
> That's an option : if the server reject anonymous operations, then
> obviously, the user *must* bind. I would say that it *should* be the default
> mode...
So you're saying allow anonymous then if there is a failure then allow
user to bind? Or by default force the user to bind?
Alex
Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
Posted by Emmanuel Lecharny <el...@gmail.com>.
On 7/12/11 9:19 AM, Alex Karasulu wrote:
>> rather than
>>
>> this.session = directoryService.getAdminSession(); in setDirectoryService())
>>
>> what we already know is that DS is available and user/app can do
>> anything if has got access to, but more important is
>> the usage from an app developer's POV, if I have a web app that allows
>> users to connect to the server using LdapCoreSessionConnection
>> then assigning admin session by default during initialization will be
>> a serious security issue.
> LDAP applications rarely align their authorization schema with LDAP
> security. Most applications just connect as admin and handle lookups
> on behalf of their users.
Yes. This is very true, and usually, because such apps are using a
connection pool. It's also safe as it's protected (well, suposely
protected) by the application : one can't access to this part unless
already identified. Although I do think it's not necessarily a good
idea, it's due to the fact it's costly to establish a physical
connection. Now, one can still use an already existing connection, and
bind with a different user, instead of using an admin session...
Misconceptions are always spread very quickly, and are hard to fix...
> But I think you and Emmanuel both make a good case here. We need to
> solve this better since some applications like the self service
> applications we've spoken about writing might use direct LDAP
> security. However I think we don't just go with an anonymous session
> or a admin session. We need a means to make this decision better.
LDAP specify that you can do operation without being bound, and in this
case, the session will be anonymous. Defaulting to anonymous is then
pretty natural. Now, you may have something different in mind, can you
elaborate ? (Of course, the server might reject such operations done on
a anonymous session, and I can see that as a major issue if we default
to anonymous)
> We should require a bind to set the exact session.
That's an option : if the server reject anonymous operations, then
obviously, the user *must* bind. I would say that it *should* be the
default mode...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
Posted by Alex Karasulu <ak...@apache.org>.
On Tue, Jul 12, 2011 at 9:19 AM, Kiran Ayyagari <ka...@apache.org> wrote:
> On Tue, Jul 12, 2011 at 11:23 AM, Emmanuel Lécharny
> <el...@apache.org> wrote:
>> On 7/12/11 2:21 AM, Alex Karasulu wrote:
>>>
>>> On Mon, Jul 11, 2011 at 9:55 AM, Emmanuel Lecharny<el...@gmail.com>
>>> wrote:
>>>>
>>>> I'm not sure it"s a good idea to setup a default session, at least to
>>>> admin.
>>>> If we consider the normal (ie, not embedded) server, we don't set any
>>>> session, the default session is Anonymous (of course if allowed). IMO,
>>>> this
>>>> might be a security breach too.
>>>>
>>>> What was the rational for this modificatioon, Alex ?
>>>
>>> First there was a big null pointer exception due to this not being
>>> set. Second taking a big step back I thought about it and if I have a
>>> handle on DirectoryService I can pretty much do anything anyway. If
>>> I'm using CoreSessions and DirectoryServices I can use any kind of
>>> session there's no security barrier there. So IMO there's no security
>>> issue here to defaulting to an admin session.
>>
>> Make sense. I'm just wondering if we shouldn't mimic the way the LDAP server
>> works by forcing the session to use an anonymous principal by default,
>> instead of an admin one. I shouldn't have used the term 'security issue',
>> it's not really a problem in this case, what I had in mind is that if
>> someone want to use a Admin session, it's probably better to require that he
>> explicitly create such a session. Call it 'protection against stupid
>> move'...
>>
>> PS : NPE ? ouch...
>>
> this NPE is a valid one in this case, note that this is a connection
> implementation and a user is supposed to call bind()
> but the constructor LdapCoreSessionConnection( CoreSession session )
> is entirely different, in this case the user knows what he is
> doing, so my preference would be to move the assignment to this
> constructor and assign the passed session (i.e.,
>
> this.session = session;
There were actually a few places where this could happen. If session
was passed in as a method argument sure we can just set it as you did
above. But I don't think we had that option in the method where the
change was induced.
> rather than
>
> this.session = directoryService.getAdminSession(); in setDirectoryService())
>
> what we already know is that DS is available and user/app can do
> anything if has got access to, but more important is
> the usage from an app developer's POV, if I have a web app that allows
> users to connect to the server using LdapCoreSessionConnection
> then assigning admin session by default during initialization will be
> a serious security issue.
LDAP applications rarely align their authorization schema with LDAP
security. Most applications just connect as admin and handle lookups
on behalf of their users.
But I think you and Emmanuel both make a good case here. We need to
solve this better since some applications like the self service
applications we've spoken about writing might use direct LDAP
security. However I think we don't just go with an anonymous session
or a admin session. We need a means to make this decision better.
We should require a bind to set the exact session.
--
Best Regards,
-- Alex
Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, Jul 12, 2011 at 11:23 AM, Emmanuel Lécharny
<el...@apache.org> wrote:
> On 7/12/11 2:21 AM, Alex Karasulu wrote:
>>
>> On Mon, Jul 11, 2011 at 9:55 AM, Emmanuel Lecharny<el...@gmail.com>
>> wrote:
>>>
>>> I'm not sure it"s a good idea to setup a default session, at least to
>>> admin.
>>> If we consider the normal (ie, not embedded) server, we don't set any
>>> session, the default session is Anonymous (of course if allowed). IMO,
>>> this
>>> might be a security breach too.
>>>
>>> What was the rational for this modificatioon, Alex ?
>>
>> First there was a big null pointer exception due to this not being
>> set. Second taking a big step back I thought about it and if I have a
>> handle on DirectoryService I can pretty much do anything anyway. If
>> I'm using CoreSessions and DirectoryServices I can use any kind of
>> session there's no security barrier there. So IMO there's no security
>> issue here to defaulting to an admin session.
>
> Make sense. I'm just wondering if we shouldn't mimic the way the LDAP server
> works by forcing the session to use an anonymous principal by default,
> instead of an admin one. I shouldn't have used the term 'security issue',
> it's not really a problem in this case, what I had in mind is that if
> someone want to use a Admin session, it's probably better to require that he
> explicitly create such a session. Call it 'protection against stupid
> move'...
>
> PS : NPE ? ouch...
>
this NPE is a valid one in this case, note that this is a connection
implementation and a user is supposed to call bind()
but the constructor LdapCoreSessionConnection( CoreSession session )
is entirely different, in this case the user knows what he is
doing, so my preference would be to move the assignment to this
constructor and assign the passed session (i.e.,
this.session = session;
rather than
this.session = directoryService.getAdminSession(); in setDirectoryService())
what we already know is that DS is available and user/app can do
anything if has got access to, but more important is
the usage from an app developer's POV, if I have a web app that allows
users to connect to the server using LdapCoreSessionConnection
then assigning admin session by default during initialization will be
a serious security issue.
--
Kiran Ayyagari
Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
Posted by Emmanuel Lécharny <el...@apache.org>.
On 7/12/11 2:21 AM, Alex Karasulu wrote:
> On Mon, Jul 11, 2011 at 9:55 AM, Emmanuel Lecharny<el...@gmail.com> wrote:
>> I'm not sure it"s a good idea to setup a default session, at least to admin.
>> If we consider the normal (ie, not embedded) server, we don't set any
>> session, the default session is Anonymous (of course if allowed). IMO, this
>> might be a security breach too.
>>
>> What was the rational for this modificatioon, Alex ?
> First there was a big null pointer exception due to this not being
> set. Second taking a big step back I thought about it and if I have a
> handle on DirectoryService I can pretty much do anything anyway. If
> I'm using CoreSessions and DirectoryServices I can use any kind of
> session there's no security barrier there. So IMO there's no security
> issue here to defaulting to an admin session.
Make sense. I'm just wondering if we shouldn't mimic the way the LDAP
server works by forcing the session to use an anonymous principal by
default, instead of an admin one. I shouldn't have used the term
'security issue', it's not really a problem in this case, what I had in
mind is that if someone want to use a Admin session, it's probably
better to require that he explicitly create such a session. Call it
'protection against stupid move'...
PS : NPE ? ouch...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
Posted by Alex Karasulu <ak...@apache.org>.
On Mon, Jul 11, 2011 at 9:55 AM, Emmanuel Lecharny <el...@gmail.com> wrote:
> I'm not sure it"s a good idea to setup a default session, at least to admin.
> If we consider the normal (ie, not embedded) server, we don't set any
> session, the default session is Anonymous (of course if allowed). IMO, this
> might be a security breach too.
>
> What was the rational for this modificatioon, Alex ?
First there was a big null pointer exception due to this not being
set. Second taking a big step back I thought about it and if I have a
handle on DirectoryService I can pretty much do anything anyway. If
I'm using CoreSessions and DirectoryServices I can use any kind of
session there's no security barrier there. So IMO there's no security
issue here to defaulting to an admin session.
> On 7/10/11 11:23 PM, akarasulu@apache.org wrote:
>>
>> Author: akarasulu
>> Date: Sun Jul 10 21:23:02 2011
>> New Revision: 1144962
>>
>> URL: http://svn.apache.org/viewvc?rev=1144962&view=rev
>> Log:
>> session member should be reset to an admin session when the directory
>> service is set
>>
>> Modified:
>>
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>>
>> Modified:
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>> URL:
>> http://svn.apache.org/viewvc/directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java?rev=1144962&r1=1144961&r2=1144962&view=diff
>>
>> ==============================================================================
>> ---
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>> (original)
>> +++
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>> Sun Jul 10 21:23:02 2011
>> @@ -1286,5 +1286,6 @@ public class LdapCoreSessionConnection i
>> {
>> this.directoryService = directoryService;
>> this.schemaManager = directoryService.getSchemaManager();
>> + this.session = directoryService.getAdminSession();
>> }
>> }
>>
>>
>>
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
Best Regards,
-- Alex