SlideShare une entreprise Scribd logo

Bridging the gap: Adding missing client (security) features using OpenLDAP proxy servers

LDAPCon
LDAPCon
Technologie
1  sur  12
Télécharger pour lire hors ligne
Bridging the gap Adding missing client (security) features using OpenLDAP proxy servers Mark Pröhl & Michael Weiser
Dumb clients  The world still is full of dumb legacy clients – No SASL support / Support only simple binds – No or weak TLS support – Cannot be changed: closed source or unmaintained in-house / external custom code Client (dumb) 389/ldap/StartTLS 636/ldaps SASL 2 o=org
Dumb clients  The world still is full of dumb legacy clients – may even expect specific directory structure → not subject of this talk → rwm  Especially in enterprise environments – Notorious example: Oracle Software supports strong TLS only with OAS which is 15kEUR per CPU Client (dumb) 389/ldap/StartTLS 636/ldaps SASL 3 o=org
(Start)TLS-wrapping proxy    Introduce proxy inbetween dumb client and actual LDAP server that uses (Start)TLS towards the backend Straight-forward solution Works remarkably OOB with OpenLDAP's ldap backend Client (dumb) 389/ldap simple bind uid=user,o=org secret 389/ldap/StartTLS 636/ldaps simple bind Proxy uid=user,o=org o=org secret 4
(Start)TLS-wrapping proxy  Even retains the client's bind identity  But not all directories support (Start)TLS  e.g.: Active Directory has SASL's GSSAPI-based transport security enabled OOB which makes TLS redundant Client (dumb) 389/ldap simple bind uid=user,o=org secret 389/ldap/StartTLS 636/ldaps simple bind Proxy uid=user,o=org o=org secret 5
SASL/GSSAPI-wrapping proxy   OpenLDAP's ldap backend can use SASL binds towards the backend servers Using SASL/GSSAPI is just a matter of – configuring the new auth mechanism and – providing a ticket cache containing appropriate Kerberos tickets Client (dumb) 389/ldap simple bind « anonymous » Proxy 389/ldap SASL/GSSAPI proxy@ORG o=org ldap/server Kerberos ticket cache 6
SASL/GSSAPI-wrapping proxy  Client can only bind anonymously – access restrictions have to be implemented some other way (e.g. iptables owner rules for local processes)  Client's bind identity is no longer retained Client (dumb) 389/ldap simple bind « anonymous » Proxy 389/ldap SASL/GSSAPI proxy@ORG o=org ldap/server Kerberos ticket cache 7
SASL/GSSAPI-wrapping proxy ext.  Can be extended with local auth store – either by adding a separate suffix with local backend containing bind DNs – or providing e.g. userPassword attributes to existing backend DNs using translucent overlay Client (dumb) 389/ldap simple bind cn=pusr, cn=pauth proxysecret 389/ldap SASL/GSSAPI Proxy proxy@ORG o=org cn= ldap/server pauth 8
SASL/GSSAPI-wrapping proxy ext.  Still : bind identity is lost and all users are able to do what the GSSAPI backend bind user is allowed to do → local ACLs Client (dumb) 389/ldap simple bind cn=pusr, cn=pauth proxysecret 389/ldap SASL/GSSAPI Proxy proxy@ORG o=org cn= ldap/server pauth 9
What others are doing  Various commerical AD-integration solutions provide LDAP proxies that do „full service‟: 2.) acquire tickets user@ORG Kerberos secret 1.) determine user's Kerberos principal: KDC 389/ldap, SASL/GSSAPI, proxy@ORG → user@ORG Client (dumb) 389/ldap simple bind uid=user,o=org secret Proxy 3.) 389/ldap SASL/GSSAPI user@ORG o=org ldap/server Kerberos ticket cache 10
What others are doing  Various commerical AD-integration solutions provide LDAP proxies that – convert frontend simple binds to SASL/GSSAPI backend binds by – looking up/constructing the Kerberos principal corresponding to the bind DN, – requesting a TGT with that principal and the bind password and – using this Kerberos ticket to access the backend 11
Thanks! Mark Pröhl & Michael Weiser info@science-computing.de

Recommandé

Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
Alexander Bokovoy
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
MongoDB
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
LDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
LDAPCon
 
Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldap
LDAPCon
 

Recommandé

Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
Alexander Bokovoy
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
MongoDB
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
LDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
LDAPCon
 
Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldap
LDAPCon
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
Kai Zheng
 
Open LDAP vs. Active Directory
Open LDAP vs. Active DirectoryOpen LDAP vs. Active Directory
Open LDAP vs. Active Directory
Ahmad Haghighi
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
tcloudcomputing-tw
 
Hadoop Security Preview
Hadoop Security PreviewHadoop Security Preview
Hadoop Security Preview
Hadoop User Group
 
Webinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesWebinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security Features
MongoDB
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without Triggers
Perforce
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_security
Adam Muise
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Yahoo!デベロッパーネットワーク
 
On being RESTful
On being RESTfulOn being RESTful
On being RESTful
Fabio Mancinelli
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Getting value from IoT, Integration and Data Analytics
 
Hadoop operations
Hadoop operationsHadoop operations
Hadoop operations
Marc Cluet
 
1 hadoop security_in_details_hadoop_summit2010
1 hadoop security_in_details_hadoop_summit20101 hadoop security_in_details_hadoop_summit2010
1 hadoop security_in_details_hadoop_summit2010
Hadoop User Group
 
11g Identity Management - InSync10
11g Identity Management - InSync1011g Identity Management - InSync10
11g Identity Management - InSync10
Peter McLarty
 
Keystone at the Center of Our Universe
Keystone at the Center of Our UniverseKeystone at the Center of Our Universe
Keystone at the Center of Our Universe
Subbu Allamaraju
 
What's New in CAS 3.5
What's New in CAS 3.5What's New in CAS 3.5
What's New in CAS 3.5
Andrew Petro
 
Hadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happyHadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happy
DataWorks Summit
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
Smita Raut
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
MarketingArrowECS_CZ
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
MongoDB
 
ivanova-samba_backend.pdf
ivanova-samba_backend.pdfivanova-samba_backend.pdf
ivanova-samba_backend.pdf
OrlandoJesusFigueroa
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
Sagi Brody
 

Contenu connexe

Tendances

Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
1 hadoop security_in_details_hadoop_summit2010
1 hadoop security_in_details_hadoop_summit20101 hadoop security_in_details_hadoop_summit2010
1 hadoop security_in_details_hadoop_summit2010
Hadoop User Group
 
What's New in CAS 3.5
What's New in CAS 3.5What's New in CAS 3.5
What's New in CAS 3.5
Andrew Petro
 

Tendances (20)

Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
 
Open LDAP vs. Active Directory
Open LDAP vs. Active DirectoryOpen LDAP vs. Active Directory
Open LDAP vs. Active Directory
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
 
Hadoop Security Preview
Hadoop Security PreviewHadoop Security Preview
Hadoop Security Preview
 
Webinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesWebinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security Features
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without Triggers
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_security
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
 
On being RESTful
On being RESTfulOn being RESTful
On being RESTful
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
 
Hadoop operations
Hadoop operationsHadoop operations
Hadoop operations
 
1 hadoop security_in_details_hadoop_summit2010
1 hadoop security_in_details_hadoop_summit20101 hadoop security_in_details_hadoop_summit2010
1 hadoop security_in_details_hadoop_summit2010
 
11g Identity Management - InSync10
11g Identity Management - InSync1011g Identity Management - InSync10
11g Identity Management - InSync10
 
Keystone at the Center of Our Universe
Keystone at the Center of Our UniverseKeystone at the Center of Our Universe
Keystone at the Center of Our Universe
 
What's New in CAS 3.5
What's New in CAS 3.5What's New in CAS 3.5
What's New in CAS 3.5
 
Hadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happyHadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happy
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
 

Similaire à Bridging the gap: Adding missing client (security) features using OpenLDAP proxy servers

Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-Linux
Balaji Ravi
 
Samba Optimization and Speed Tuning f...
Samba Optimization and Speed Tuning f...Samba Optimization and Speed Tuning f...
Samba Optimization and Speed Tuning f...
wensheng wei
 

Similaire à Bridging the gap: Adding missing client (security) features using OpenLDAP proxy servers (20)

ivanova-samba_backend.pdf
ivanova-samba_backend.pdfivanova-samba_backend.pdf
ivanova-samba_backend.pdf
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
 
oracle dba
oracle dbaoracle dba
oracle dba
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-Linux
 
DOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon SecurityDOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon Security
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloud
 
SIP Tutorial/Workshop 2
SIP Tutorial/Workshop 2SIP Tutorial/Workshop 2
SIP Tutorial/Workshop 2
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and Mesos
 
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodOracle Client Failover - Under The Hood
Oracle Client Failover - Under The Hood
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open World
 
Galera Cluster 3.0 Features
Galera Cluster 3.0 FeaturesGalera Cluster 3.0 Features
Galera Cluster 3.0 Features
 
UKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle SolarisUKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle Solaris
 
Samba Optimization and Speed Tuning f...
Samba Optimization and Speed Tuning f...Samba Optimization and Speed Tuning f...
Samba Optimization and Speed Tuning f...
 
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]Understanding Oracle RAC 12c Internals OOW13 [CON8806]
Understanding Oracle RAC 12c Internals OOW13 [CON8806]
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ng
 
MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017
 
Migrating to XtraDB Cluster
Migrating to XtraDB ClusterMigrating to XtraDB Cluster
Migrating to XtraDB Cluster
 
Globus Endpoint Administration (GlobusWorld Tour - STFC)
Globus Endpoint Administration (GlobusWorld Tour - STFC)Globus Endpoint Administration (GlobusWorld Tour - STFC)
Globus Endpoint Administration (GlobusWorld Tour - STFC)
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity Management
 

Plus de LDAPCon

Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
LDAPCon
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
LDAPCon
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ project
LDAPCon
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
LDAPCon
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
LDAPCon
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
LDAPCon
 
What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...
LDAPCon
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAP
LDAPCon
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory Studio
LDAPCon
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAP
LDAPCon
 
eSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over WebeSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over Web
LDAPCon
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
LDAPCon
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
LDAPCon
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship Management
LDAPCon
 

Plus de LDAPCon (14)

Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ project
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
 
What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAP
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory Studio
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAP
 
eSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over WebeSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over Web
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship Management
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Bridging the gap: Adding missing client (security) features using OpenLDAP proxy servers

  • 1. Bridging the gap Adding missing client (security) features using OpenLDAP proxy servers Mark Pröhl & Michael Weiser
  • 2. Dumb clients  The world still is full of dumb legacy clients – No SASL support / Support only simple binds – No or weak TLS support – Cannot be changed: closed source or unmaintained in-house / external custom code Client (dumb) 389/ldap/StartTLS 636/ldaps SASL 2 o=org
  • 3. Dumb clients  The world still is full of dumb legacy clients – may even expect specific directory structure → not subject of this talk → rwm  Especially in enterprise environments – Notorious example: Oracle Software supports strong TLS only with OAS which is 15kEUR per CPU Client (dumb) 389/ldap/StartTLS 636/ldaps SASL 3 o=org
  • 4. (Start)TLS-wrapping proxy    Introduce proxy inbetween dumb client and actual LDAP server that uses (Start)TLS towards the backend Straight-forward solution Works remarkably OOB with OpenLDAP's ldap backend Client (dumb) 389/ldap simple bind uid=user,o=org secret 389/ldap/StartTLS 636/ldaps simple bind Proxy uid=user,o=org o=org secret 4
  • 5. (Start)TLS-wrapping proxy  Even retains the client's bind identity  But not all directories support (Start)TLS  e.g.: Active Directory has SASL's GSSAPI-based transport security enabled OOB which makes TLS redundant Client (dumb) 389/ldap simple bind uid=user,o=org secret 389/ldap/StartTLS 636/ldaps simple bind Proxy uid=user,o=org o=org secret 5
  • 6. SASL/GSSAPI-wrapping proxy   OpenLDAP's ldap backend can use SASL binds towards the backend servers Using SASL/GSSAPI is just a matter of – configuring the new auth mechanism and – providing a ticket cache containing appropriate Kerberos tickets Client (dumb) 389/ldap simple bind « anonymous » Proxy 389/ldap SASL/GSSAPI proxy@ORG o=org ldap/server Kerberos ticket cache 6
  • 7. SASL/GSSAPI-wrapping proxy  Client can only bind anonymously – access restrictions have to be implemented some other way (e.g. iptables owner rules for local processes)  Client's bind identity is no longer retained Client (dumb) 389/ldap simple bind « anonymous » Proxy 389/ldap SASL/GSSAPI proxy@ORG o=org ldap/server Kerberos ticket cache 7
  • 8. SASL/GSSAPI-wrapping proxy ext.  Can be extended with local auth store – either by adding a separate suffix with local backend containing bind DNs – or providing e.g. userPassword attributes to existing backend DNs using translucent overlay Client (dumb) 389/ldap simple bind cn=pusr, cn=pauth proxysecret 389/ldap SASL/GSSAPI Proxy proxy@ORG o=org cn= ldap/server pauth 8
  • 9. SASL/GSSAPI-wrapping proxy ext.  Still : bind identity is lost and all users are able to do what the GSSAPI backend bind user is allowed to do → local ACLs Client (dumb) 389/ldap simple bind cn=pusr, cn=pauth proxysecret 389/ldap SASL/GSSAPI Proxy proxy@ORG o=org cn= ldap/server pauth 9
  • 10. What others are doing  Various commerical AD-integration solutions provide LDAP proxies that do „full service‟: 2.) acquire tickets user@ORG Kerberos secret 1.) determine user's Kerberos principal: KDC 389/ldap, SASL/GSSAPI, proxy@ORG → user@ORG Client (dumb) 389/ldap simple bind uid=user,o=org secret Proxy 3.) 389/ldap SASL/GSSAPI user@ORG o=org ldap/server Kerberos ticket cache 10
  • 11. What others are doing  Various commerical AD-integration solutions provide LDAP proxies that – convert frontend simple binds to SASL/GSSAPI backend binds by – looking up/constructing the Kerberos principal corresponding to the bind DN, – requesting a TGT with that principal and the bind password and – using this Kerberos ticket to access the backend 11
  • 12. Thanks! Mark Pröhl & Michael Weiser info@science-computing.de