× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2005

Re: Recent bugtraq postings

The LDAP server is started automatically on a scratch install with the 
administrator id set to cn=administrator and a randomly generated password. 
However, this is only done if there is no evidence of an existing LDAP 
server on the network (check done via DNS). If the 400 is configured to use 
a windows (2k/03) DNS server, then it is likely to find evidence of an 
existing LDAP server. Once started, you have an LDAP server that will accept 
anonymous binds or binds using real OS400 user profiles and passwords..

In order to see any real user profiles and/or groups via LDAP, you must be 
authenticated to LDAP using an OS400 user profile. At that point you will 
only be able to see those profiles and groups to which you have some sort of 
authority (being a member of group gives you the authority to see group and 
other members of the group. If you bind anonymously -- even if you know the 
projected user profile DN and try to access the DN to the projected user 
profiles and/or to a specific user profile, you are not allowed. 

If anyone finds different behavior they should immediately report a sev 1 
integrity APAR to IBM in order to correct the behavior.

So, if you do nothing to the LDAP server, after a scratch install, it will 
accept anonymous binds and show absolutely nothing to whomever bound to it. 
You can change this behavior to not automatically start by changing the 
"autostart" parameter to NO. Those folks that can authenticate to LDAP with 
a real user ID and password will be able to see their profile and any 
profiles or groups to which they are explicitly authorized. If the profile 
also has *SECADM, they would be able to create and delete or change those 
profiles to which they are authorized through this interface also (great for 
distributed user management), but this is no different than if they logged 
into a green screen or were using iSeries Navigator.

Once bound to the LDAP server with a real OS400 user profile and password, 
LDAP follows the system rules for the user profiles and groups you are 
allowed to see. The system has always allowed members of a group to see the 
profiles of other members of the group.

I would have expected a security expert trying to perform a useful service 
to take his/her investigation far enough to determine that it wasn't the 
LDAP interface providing the behavior, but an architected system behavior. 
If that behavior is objectionable, one of the appropriate steps is to 
officially notify IBM via the APAR process.

On 4/22/05, rob@xxxxxxxxx <rob@xxxxxxxxx> wrote:
> 
> Good points.
> 
> Rob Berendt
> --
> Group Dekko Services, LLC
> Dept 01.073
> PO Box 2000
> Dock 108
> 6928N 400E
> Kendallville, IN 46755
> http://www.dekko.com
> 
> Mark Phippard <MarkP@xxxxxxxxxxxxxxx>
> Sent by: midrange-l-bounces@xxxxxxxxxxxx
> 04/22/2005 11:53 AM
> Please respond to
> Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
> 
> To
> Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
> cc
> 
> Subject
> RE: Recent bugtraq postings
> 
> midrange-l-bounces@xxxxxxxxxxxx wrote on 04/22/2005 11:46:28 AM:
> 
> > Because, unless they assume that Chuck Schrimper from the address book,
> > has an i5 id of CHUCK, what damage can they do to our i5 data? Now,
> > granted, on our biggest production i5 only 9% of the disk is taken up by
> 
> > DB2 data like BPCS ERP, software plus accounting and payroll, etc and
> the
> > rest is Domino, TSM backups, and IXS cards the definition of "i5 data"
> > takes on new meaning.
> 
> 1) I run LDAP on my iSeries and none of our OS/400 profiles are listed. I
> 
> did not need that feature so I did not enable it.
> 
> 2) You do not need to allow people to bind to your directory anonymously.
> 
> Typically you only enable that ability when you want your LDAP directory
> to be like a public address book.
> 
> 3) A hacker already knows several iSeries profiles that exist, besides
> CHUCK.
> 
> 4) With the exception of the password, your Domino address book contains
> everything someone needs to login to Domino. This is no different that
> knowing just an iSeries ID. You do not have any sensitive info in Domino?
> 
> Who is to say they will not be able to read emails containing both
> usernames and passwords. Not to mention emails that provide access about
> other people's ID's. Do you know what your executives have in their
> Domino mail boxes?
> 
> I just fail to see how it is a security exposure that the LDAP server is
> doing what it is supposed to do. Has something changed that I am not
> aware of? Is the LDAP server now configured and started by default and
> also automatically loaded with all iSeries profiles? When I worked with
> it, I had to turn all of this on myself.
> 
> Mark
> 
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.