Hacker News new | ask | show | jobs
by mountaineer22 3518 days ago
Could you elaborate on your attack scenarios?

Maybe I am wrong, but can you not have multiple LDAP server in a hierarchical relationship?

So, for a hackathon, a child LDAP server would be used, but if compromised, would be limited to the administrative capacities of the role created for the hackathon LDAP admin/authentication roles?
1 comments
underyx 3518 days ago
Yes, I totally messed up by not explaining the scenarios, so here's two I can think of:

- Someone naively sets up error reporting that takes the POST data and logs it somewhere. Employees can now see the passwords from POST data and impersonate each other, or in an even worse case, a vulnerability with the error reporting software can leak the passwords to the public.

- Employees will just leak their own passwords like any human would. LDAP locks you into using one password for everything, making this a much larger risk.

link
fiedzia 3518 days ago
> Someone naively sets up error reporting that takes the POST data and logs it somewhere

If you are not securing your logs, you may have a much bigger problem than just exposing user passwords.

> Employees can now see the passwords from POST data and impersonate each other

Than either don't give them access to logs (where they can find far more dangerous information than a password) or simply accept that (common for developers) they have to be trusted, and your auth protocol really doesn't matter in that case.

> a vulnerability with the error reporting software can leak the passwords to the public

Again, if your logs become public, passwords really may not be the worst of your problems.

Keep in mind that main benefit of having LDAP server is centralized user management. Once you have that, you are free to use whatever auth protocol you wish - LDAP, OAuth, whatever the apps will support. LDAP is particularly easy to use, but if you don't like it and have control over your applications, use something else.

link
icedchai 3518 days ago
How is this not true of any other centralized authentication system?
link
underyx 3518 days ago
I don't know, this is why I'm asking. I don't know if the issue even really exists or if there are workarounds.

But OAuth tokens for instance are bound to services, aren't they? If I'm correct, that would make that sort of centralized auth resilient to apps leaking credentials.

link
icedchai 3518 days ago
There could be a bug in the OAuth server, where tokens are issued. Credentials could be logged there.
link