Re: LDAP -- MIDRANGE-L

Kurt,
You are correct to point out the ability to create and modify user profiles via 
LDAP.

I also agree that there are more serious problems with AS/400 security.

However, I believe that an active LDAP server does create a security exposure.

The LDAP server projected backend allows any AS/400 user to enumerate all user 
profiles he has access to, and to display details about this profile. 
That includes listing the group profile the user may belong to.
Many AS400 applications use group profiles to manage access to the applicxation 
objects. Take BPCS for example. All BPCS users belong to the SSA group,
and a BPCS user can retrieve the full list of all other BPCS users via LDAP, by 
querying the SSA profile.

All security experts recommend that acquiring a list of accounts on a server 
should not be made easy, because it opens some new attack vectors, like 
dictionary attacks and social engineering.

On top of this, LDAP is not protected by the current iSeries security products, 
and telnet is. You can fully manage and audit the telnet connections to your 
server, and while ldap has internal management and auditing capabilities, they 
are separated from the system auditing of from any other system log. 
Therefore, I recommend to turn LDAP off, unless there is business usage of it, 
and the sysadmin knows how to manage it.

Consider ldap as a chink in the as400 armor. It is not like the vulnerabilities 
that are periodically found on other platforms, the as400 has more severe 
problems, but nonetheless it is a chink in the armor.

Shalom
 

----- Original Message -----
From: midrange-l-request@xxxxxxxxxxxx
To: midrange-l@xxxxxxxxxxxx
Sent: 4/17/05 1:00 PM
Subject: MIDRANGE-L Digest, Vol 4, Issue 713

> date: Sun, 17 Apr 2005 11:04:09 -0500
> from: "Kurt Goolsbee" 
> subject: RE: LDAP
> 
> Shalom,
> 
> If you are going to promote selling your book and information here then you
> should at least provide the full explanation of what you are alleging.  
> 
> The interface you are referring to is available on the IBM Directory Server
> for OS/400, AIX and z/OS.  It has different names on each platform but it is
> available and it is read/write not just read.  When a request is made to the
> directory context for the projected backend the Directory Server uses APIs
> rather than database calls to service the request.  This keeps you (or
> OS400) from having to synchronize account data between the user repository
> and the directory.  When a client sends a modify, add or delete operation
> for a user to the server it will format the corresponding OS400 CRTUSRPRF,
> DLTUSRPRF or CHGUSRPRF command and attempt to execute it.  What is the most
> important to note is that in order to use the projected backend you must be
> authenticated using a projected user account.  This is required so that the
> directory server can service the request under the authority of the client.
> Bottom line is that you can't get a list of users that you do not have
> authority to see and likewise you can't modify users you don't have
> authority to.  Having the LDAP server open is no smaller or greater risk
> than having the telnet server open.  If it is then I'd argue that you have
> more serious security issues to deal with than worrying about this.
> 
> I talked to THE OS400 Security Expert about this alleged exposure a few
> weeks ago and their response was that this is not an issue.  
> 
> Kurt
> 
> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx
> [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of shalom@xxxxxxxxxx
> Sent: Sunday, April 17, 2005 9:35 AM
> To: midrange-l@xxxxxxxxxxxx
> Subject: RE: LDAP
> 
> Hey,
> You can't create new system user profiles via LDAP.
> 
> You can only list system user profiles via LDAP. 
> For an interesting example of the security problem this may present,
> read the relevant article on my web site, at www.venera.com/downloads.htm
> 
> (or just google for as400 ldap)
> 
> Shalom Carmel
> --