New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using STARTTLS breaks LDAP authentication #12047
Comments
Some additional insights from my LDAP log analysisWe can see why Neo4j permits access to any valid user by looking at the LDAP log (using an incorrect password), e.g.: Compare this to a properly functioning setup (e.g. our company's TeamCity) with an incorrect password: The authentication bind performed by TeamCity clearly shows the account alice used as BIND DN and the result code returned is 49 (invalid credentials) as expected. However the authentication bind performed by Neo4j shows no actual BIND operation and the last result code returned is 0 (success) from the STARTTLS operation. The primary difference here is TeamCity connecting via LDAPS whereas Neo4j connects via regular LDAP connection and establishes a STARTLS upgrade afterwards, an example of this using ldapwhoami looks like this: Here we can see the STARTLS command executed with result code 0 prior to a BIND operation with the account alice (and correct credentials in this case). Therefore I assume Neo4j interprets the intial result code of the STARTTLS negotiation as result of a successful BIND operation. |
|
Thank you so much for reporting this @oschlueter! Cheers, Neo4j Cypher Team |
Abstract
I discovered that when I configure the LDAP Auth Provider to use STARTTLS authentication is broken, i.e. I can log into the Neo4j instance with any existing user account using arbitrary passwords.
Unencrypted LDAP connections (without STARTTLS) and LDAPS connections are not affected.
Steps to reproduce
docker-compose.yml:docker-compose pullbootstrap.ldif:neo4j.conf:logsdirectory:mkdir logsdocker-compose upCorresponding LDAP log:
http://localhost:7474and login using the accountaliceand the passwordbobExpected behavior
Login fails with error message
Neo.ClientError.Security.Unauthorized: The client is unauthorized due to authentication failure.Actual behavior
Login succeeds.
The text was updated successfully, but these errors were encountered: