Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft: fix for iad format when DN is in uri, I think... #2302

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Draft: fix for iad format when DN is in uri, I think... #2302

wants to merge 2 commits into from

Conversation

zricethezav
Copy link
Collaborator

@zricethezav zricethezav commented Jan 12, 2024
edited
Loading

Description:

Steps to reproduce buggy behavior currently in main

docker run -p 389:389 --rm -it --env LDAP_ORGANISATION="truffle" --env LDAP_DOMAIN="trufflesecurity.com" --env LDAP_ADMIN_PASSWORD="thisisnotsecure" --env LDAP_TLS_VERIFY_CLIENT=try --LDAP_ROOT=dc=trufflesecurity,dc=com --detach osixia/openldap:1.5.0

echo "ou = dso.OpenDSObject(\"LDAP://127.0.0.1/cn=admin,DC=trufflesecurity,DC=com\", \"admin\", \"thisisnotsecure\", 1)" > ldapbug.txt

trufflehog filesystem --no-update ldapbug.txt

Notice no verified secrets.

Now checkout ldap-bug, then run:

go build && ./trufflehog filesystem --no-update ldapbug.txt

Notice there are now verified secrets!

This probably needs some more polish and LDAP is out of my wheelhouse but it looks like the Bind:

// Bind performs a bind with the given username and password.
//
// It does not allow unauthenticated bind (i.e. empty password). Use the UnauthenticatedBind method
// for that.
func (l *Conn) Bind(username, password string) error {
	req := &SimpleBindRequest{
		Username:           username,
		Password:           password,
		AllowEmptyPassword: false,
	}
	_, err := l.SimpleBind(req)
	return err
}

requires the full DN (for this example it's cn=admin,DC=trufflesecurity,DC=com) in some cases?

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@zricethezav zricethezav marked this pull request as draft January 12, 2024 22:52
@rgmz
Copy link
Contributor

rgmz commented Jan 13, 2024

This probably needs some more polish and LDAP is out of my wheelhouse but it looks like the Bind:

Bind usually requires the full DistinguishedName OR distinct username attribute.

Active Directory used to use sAMAccountName (e.g., jdoe) as the username, however, if you have multiple forests then you'd need to do jdoe@domain. Now UserPrincipalName is preferred. https://pleasantpasswords.com/info/pleasant-password-server/i-ldap-and-ad/active-directory-and-samaccountnames

Not sure about other LDAP implementations.

@zricethezav
Copy link
Collaborator Author

Bind usually requires the full DistinguishedName OR distinct username attribute.

@rgmz anyone to determine which one to use? This change attempts both if a username returns an err

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zricethezav @rgmz