Description of problem: Upstream issue https://github.com/threerings/openvpn-auth-ldap/issues/19. Basically the code binds before doing starttls, which (1) causes the bind password to be transmitted in plaintext, and (2) implicitly unbinds making the bind useless. Version-Release number of selected component (if applicable): openvpn-auth-ldap-2.0.3-14.1el7 (and probably all previous versions) How reproducible: Install openvpn-auth-ldap, set up a VPN server instance to use it, and set BindDN and Password in the Authorization section of the auth-ldap.conf file, and set RequireGroup=true and set up a group. Steps to Reproduce: 1. Set up a RHEL 7 freeipa instance with at least one user and one group. 2. Set up VPN server as described above. Set up openvpn-auth-ldap to authenticate against the freeipa LDAP server and require the user to be a member of at least one group. 3. Start openvpn. 4. Connect from a client system. Actual results: Client successfully authenticates and binddn password is not transmitted in plaintext. Expected results: Authentication fails due to not being able to query the group membership (since the bind has been reset by starttls). The bind password is transmitted in plaintext since the bind occurred before starttls. Additional info: Upstream patch at https://github.com/threerings/openvpn-auth-ldap/commit/4a87c1a59717acd5de8831c9561b9fe338efa9c5#diff-6b63bb233e57531d2583d0a7a36726d4 There was no upstream CVE issued for this even though it is a huge security hole IMHO. Mitigated by the fact that most openldap server deployments will not require a binddn to access group information.
Will be doing a new build and some initial tests this week.
Patch doesn't match the version of auth-ldap we are building, so generating a new patch for the same fix.
Created attachment 1325549 [details] Patch for fixing bind before STARTTLS in 2.0.3
New build should be up in testing shortly. https://koji.fedoraproject.org/koji/buildinfo?buildID=970112
openvpn-auth-ldap-2.0.3-15.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-52b8147c68
openvpn-auth-ldap-2.0.3-15.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-52b8147c68
openvpn-auth-ldap-2.0.3-15.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
This bug was not fixed unfortunately. While the patch definition was added to the spec file, it isn’t actually applied and so this bug is still occurring.
(In reply to aaronmaxlevy from comment #8) > This bug was not fixed unfortunately. While the patch definition was added > to the spec file, it isn’t actually applied and so this bug is still > occurring. Ah! I see it! Not sure how that slipped through. Will work on fixing that today.
Build underway: https://koji.fedoraproject.org/koji/buildinfo?buildID=1181769
Corrected RPMs have been built. Once they make it into the testing repo, please confirm the fix.
openvpn-auth-ldap-2.0.3-16.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-040983bb83
openvpn-auth-ldap-2.0.3-16.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-040983bb83
openvpn-auth-ldap-2.0.3-16.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.