Solaris LDAP Insecurities

I've been doing quite a bit of research regarding the native LDAP client bundled with Solaris 9 and 10 and I think I've found a couple of issues.

1. When using "passwd" to change an SSHA hashed password, the resulting password is stored in unix crypt format.
2. Any user on a Sun LDAP client can get a list of all ldap users in the directory (including their encrypted password)
   

Issue #2 is pretty bad to begin with, but coupled with issue #1, it's horrible. You might as well keep everything in /etc/passwd.

After poking around the directory server access logs and ACIs, here's what's going on. The Solaris native LDAP client is binding to the LDAP directory with the proxy user information defined in /var/ldap/ldap_client_cred. As part of the proxy user creation (in idsconfig, I'm assuming) an ACI is created that allows the proxy server to read passwords. When you run ldaplist -l passwd, the LDAP client connects to the directory as the proxy user and does a search for uid=* in ou=people,dc=example,dc=com attributes=ALL. Since the proxy user can read passwords, the encrypted password field is returned by this search and displayed to the user.

The big problem here is that any user on the system can run ldaplist. Also, this returns every user in the directory, not just the users in the netgroups that system is a member of.

For now I've removed the ACI that allows the proxy user to read passwords. This resolves the immediate problem, but may have broken other things. I'm still able to login, change my password, and RBAC seems to be working still.

We'll see how things go over the next couple of days, I guess. :-)

The problem with Open source software..

I was doing my daily news tour (ISC, digg, slashdot, etc) when I came across this.

Apparently, the 0fficial download site for mysql binaries and source packages is gone. Instead of the typical open source MySQL, mysql.com is pushing a new database server called "MySQL Enterprise".

It looks like MySQL is doing the same thing that Red Hat did a few years back. Pulling support for their "Free" version and offering an "Enterprise" product in it's place. While I don't have a problem with this in theory, it does cause a pretty significant problem for people who rely on MySQL for their production databases. At the moment, you can still download the current MySQL binary and source packages from the MySQL community site. However, I believe this will soon change.

This is the basic problem with OSS. It's free - That means you're not going to make much money by selling it. It doesn't make for a very good business plan.

What scares me, though, is how easily companies adopt open source products. I know of at least one mid sized ISP that runs their entire email system on a MySQL database. If the MySQL were to disappear or the license were to change, they would be up a creek big time.

Before implementing any OSS into your environment, you should ask yourself a couple of basic risk management questions.

1. If this project goes stale, can my organization support this product internally?
   
2. Can the license change? If so, how will it impact my organization?

It is up to you and your organization to decide if this is an acceptable risk or not.

Personally, I think that this is a good change for MySQL AB as a company and MySQL as a database. In the end we should see a higher quality product. However, I think the existing MySQL user base is being left out in the cold.

- Mike

UPDATE:

Here are some links..

http://www.mysql.com/news-and-events/news/article_1171.html - official announcement
http://www.planetmysql.org/kaj/?p=64 - planetmysql blog post

UPDATE 2:

It turns out that the links on the community download site are to OLD releases. To get the most current MySQL source release (no binaries available) go to ftp://ftp.mysql.com/pub/mysql/src