blog.unix-security.net

I've been doing quite a bit of research regarding the native LDAP client bundled with Solaris 9 and 10 and I've found a couple of issues.

1) When using "passwd" to change an SSHA hashed password, the resulting password is stored in unix crypt format.
2) Any user on a Sun LDAP client can get a list of all ldap users in the directory (including their encrypted password)

Issue #2 is pretty bad to begin with, but coupled with issue #1, it's horrible. You might as well not use the shadow file.

After poking around the directory server access logs and ACIs, here's what's going on. The Solaris native LDAP client is binding to the LDAP directory with the proxy user information defined in /var/ldap/ldap_client_cred. As part of the proxy user creation (part of idsconfig) an ACI is created that allows the proxy server to read passwords. When you run ldaplist -l passwd, the LDAP client connects to the directory as the proxy user and does a search for uid=* in ou=people,dc=example,dc=com attributes=ALL. Since the proxy user can read passwords, the encrypted password field is returned by this search and displayed to the user.

The big problem here is that any user on the system can run ldaplist. Also, this returns every user in the directory, not just the users in the netgroups that system is a member of.

A quick fix was to modify the ACI so that the proxy user does not have the ability to read passwords. We've been running this way in production for over a year now, so I think it's pretty safe.