Proxy LDAP to limit scope of access

Question

Proxy LDAP to limit scope of access

Closed this issue 2 years ago · 7 comments

Users can run Glim as a {read-only w/ logging,} proxy interface to {other} LDAP servers that expose far too much or don't have any concept of permissions.

westurner commented 2 years ago

Thanks

Answer 1 · 2022-09-19T04:33:09.000Z

From https://ldapwiki.com/wiki/LDAP%20Query%20Basic%20Examples ; the LDAP equivalent of SELECT * :

$ ldapsearch \
   -D "cn=exampleuser,example.com" \
   -w secret -p 389 -h server.example.com \
   -b "dc=example,dc=com" \
   -s sub "(objectclass=*)" # returns all entries

I just found these:

https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
"CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
https://cwe.mitre.org/data/definitions/90.html
https://ldapwiki.com/wiki/Best%20Practices%20for%20LDAP%20Security
https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html

Answer 2 · 2022-09-19T06:44:10.000Z

Thanks for opening the issue, it means a lot to me get feedback from the community.

According to your comments:

Would you like Glim to be a proxy for other LDAP servers so you can still use simple CLI commands (create, rm, update...) and REST API but not storing users and groups in your own database?
Would you like Glim to block (objectclass=*) by default? I've found some applications that use it to get all entries for authentication, it could be a bad practice I assume.
I'd glad to review all the links you propose to improve Glim's security. I'll open some issues to track them down.

Thanks a lot

Answer 3 · 2022-09-19T08:54:53.000Z

Yeah, it may be better to connect an app to (HA) Glim over LDAP, then have Glim do limited queries as specified by config somehow
That sounds like a more default secure default; like blocking rm -rf /$HOMe without -y
Cool. Prior/existing_someday use case: "LDAP with GitLab CE and Mattermost (or Zulip)" for home/school labs without $ to upgrade to EE, which has actual LDAP (instead of omnibus-gitlab):
- hopefully there's a just the LDAP adapter patch for CE edition somewhere
  - instead, we could just use the GitLab CE auth tables over LDAP with glim

Answer 4 · 2022-09-19T09:12:49.000Z

Thanks again, I'll keep this issue opened until I create individual issues for these proposals and security enhancements. Eventually if I need more help to define new use cases I'll ping you back.

Answer 5 · 2022-09-19T09:46:13.000Z

Possible README example / rephrasing:

how to connect Glim to an LDAP query so that that's all an app is aware of

Answer 6 · 2022-09-27T17:36:27.000Z

Thank you @westurner, I've created a discussion about implementing Glim as a proxy for LDAP requests, for now Glim acts as an identity manager that stores users and groups in a database. I'll have this suggestion in the backlog and will try to implement it as soon as I've finished some prior issues. Also thank you for the security suggestions added to another pending issue.

Closing