Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Using STARTTLS breaks LDAP authentication #12047
I discovered that when I configure the LDAP Auth Provider to use STARTTLS authentication is broken, i.e. I can log into the Neo4j instance with any existing user account using arbitrary passwords.
Steps to reproduce
version: '3.4' services: openldap: image: osixia/openldap:1.2.2 ports: - 1389:389 - 1636:636 environment: - LDAP_BASE_DN= - LDAP_READONLY_USER=true - LDAP_READONLY_USER_USERNAME=bind - LDAP_READONLY_USER_PASSWORD=bind - LDAP_TLS_VERIFY_CLIENT=try - LDAP_TLS_CRT_FILENAME=openldap.crt - LDAP_TLS_KEY_FILENAME=openldap.key - LDAP_TLS_CA_CRT_FILENAME=ca.crt volumes: - $PWD/bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/bootstrap.ldif - $PWD/certs:/container/service/slapd/assets/certs command: --copy-service neo4j: image: neo4j:3.4.4-enterprise ports: - 7474:7474 - 7687:7687 environment: - NEO4J_ACCEPT_LICENSE_AGREEMENT=yes volumes: - $PWD/neo4j.conf:/conf/neo4j.conf - $PWD/logs:/logs - $PWD/certs/truststore.jks:/etc/neo4j/truststore.jks
Corresponding LDAP log:
Login fails with error message
Some additional insights from my LDAP log analysis
We can see why Neo4j permits access to any valid user by looking at the LDAP log (using an incorrect password), e.g.:
Compare this to a properly functioning setup (e.g. our company's TeamCity) with an incorrect password:
The authentication bind performed by TeamCity clearly shows the account alice used as BIND DN and the result code returned is 49 (invalid credentials) as expected. However the authentication bind performed by Neo4j shows no actual BIND operation and the last result code returned is 0 (success) from the STARTTLS operation.
The primary difference here is TeamCity connecting via LDAPS whereas Neo4j connects via regular LDAP connection and establishes a STARTLS upgrade afterwards, an example of this using ldapwhoami looks like this:
Here we can see the STARTLS command executed with result code 0 prior to a BIND operation with the account alice (and correct credentials in this case). Therefore I assume Neo4j interprets the intial result code of the STARTTLS negotiation as result of a successful BIND operation.