Troubles with idp.authn.LDAP.returnAttributes property
Guillaume Rousse
guillaume.rousse at renater.fr
Thu Oct 3 11:53:36 EDT 2019
Le 03/10/2019 à 16:43, Peter Schober a écrit :
> * Guillaume Rousse <guillaume.rousse at renater.fr> [2019-10-03 15:39]:
>> Our current configuration uses the default ldap.properties file content:
>> ## Return attributes during authentication
>> idp.authn.LDAP.returnAttributes =
>
> That's not the default, at least not in my conf/ldap.properties nor
> in the shipped distributed copy in dist/conf/ldap.properties which you
> could check yourself:
>
> idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining
>
>> However, all attributes are currently being retrieved. Which is both fragile
>> (the authentication issue was caused by an JPEG image stored in an LDAP
>> attribute, triggering a 'maximum request size exceded' error) and
>> undesirable, as it exposes sensible informations.
>
> While a well-behaved LDAP client only asks for what it needs that does
> not replace proper configuration of ACLs/ACIs on the server!
> An LDAP DSA should not hand out "everything" to anyone that asks,
> *especially* not password hashes. That would be a major security
> issue. (Who knows how many of your LDAP services have been recieving
> hashed passwords in the past?!)
I don't think we have an LDAP ACL issue here, as an user is entitled to
read and write its own password. From what I understood, one of the
purpose of retrieving attributes during user authentication is precisely
to retrieve user-only attributes not available during standard attribute
resolution phase.
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20191003/bb125565/attachment.p7s>
More information about the users
mailing list