| commit | 78217f1f5dcb6475eb83441eac7118cee0a1225c | [log] [tgz] | 
|---|---|---|
| author | Shawn McKinney <smckinney@symas.com> | Sat Dec 11 20:23:23 2021 -0600 | 
| committer | Shawn McKinney <smckinney@symas.com> | Sat Dec 11 20:23:23 2021 -0600 | 
| tree | 8410f0b3f80b4aaceaa0a5e3738942465f86d20b | |
| parent | 86e20a6bbce426cfb021716c3fce27b6dfd57700 [diff] | 
! CVE-2021-41973
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This document contains instructions to download, install, test, and manage an LDAP server using the Apache Fortress Core.
Minimum hardware requirements to run Apache Fortress and LDAP server:
Minimum software requirements:
From Apache GIT Fortress-Core Software Repo: https://gitbox.apache.org/repos/asf?p=directory-fortress-core.git
git clone https://gitbox.apache.org/repos/asf/directory-fortress-core.git
git clone --branch 2.0.7 https://gitbox.apache.org/repos/asf/directory-fortress-core.git
Set Java and Maven home on machines.
From the FORTRESS_HOME root folder, enter the following command:
a. Java 8 target
mvn clean install
-- OR --
b. Java 11 target
mvn clean install -Djava.version=11
mvn javadoc:javadoc
Install Notes:
mvn install calls out to maven-ant init-fortress-config task in build.xml to regenerate configuration artifacts (more info here: README-CONFIG).This document describes three options to use Apache Fortress with:
Options 1 & 2 are recommended for first-time users. Option 3 is for advanced users.
Do these sections:
For example:
A. On Debian systems: http://wiki.debian.org/LDAP/OpenLDAPSetup
B. Ubuntu: https://help.ubuntu.com/community/OpenLDAPServer
C. etc.
cp FORTRESS_HOME/ldap/schema/fortress.schema OPENLDAP_HOME/etc/openldap/schema
vi OPENLDAP_HOME/etc/openldap/slapd.conf
Add to the top of the file:
include OPENLDAP_HOME/etc/openldap/schema/fortress.schema
Add right before the ACL definitions:
moduleload ppolicy.la
moduleload accesslog.la
# Default DB Settings
database	mdb
maxreaders 64
maxsize 1000000000
suffix  "dc=example,dc=com"
rootdn  "cn=Manager,dc=example,dc=com"
rootpw  "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
index uidNumber,gidNumber,objectclass eq
index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq
directory  "/var/openldap/dflt"
overlay    accesslog
logdb      "cn=log"
dbnosync
checkpoint	64 5
# History DB Settings  (optional)
database	 mdb
maxreaders  64
maxsize     1000000000
suffix      "cn=log"
rootdn      "cn=Manager,cn=log"
rootpw      "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
index objectClass,reqDN,reqAuthzID,reqStart,reqAttr eq
directory	 "/var/openldap/hist"
access to *
   by dn.base="cn=Manager,cn=log" write
dbnosync
checkpoint   64 5
# Audit Log Settings (optional) # note: the following settings may be tailored to your requirements: logops bind writes compare logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm ftOpNm ftObjId ftGroups ftRoles ftUsers ftType logpurge 5+00:00 1+00:00
####################################################################### # PW Policy Settings ####################################################################### # Enable the Password Policy overlay to enforce password policies on this database. overlay ppolicy ppolicy_default "cn=PasswordPolicy,ou=Policies,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
### ACLs
access to dn="" by * read
access to *
	by self write
	by users read
	by anonymous auth
	by sockurl="^ldapi:///$" write
### This one allows user to modify their own password (needed for pw policies):
### This also allows user to modify their own ftmod attributes (needed for audit):
access to attrs=userpassword
         by self write
         by * auth
# Never allow anonymous binds: disallow bind_anon # Speeds up member list processing for ldap group operations: sortvals roleOccupant # Convenience: gentlehup on # Sensible defaults: sizelimit 5000 timelimit 60 threads 8 loglevel 32768
mkdir /var/openldap/dflt mkdir /var/openldap/hist
Config Notes:
cp build.properties.example build.properties cp slapd.properties.example slapd.properties
vi slapd.properties
ldap.server.type=openldap
host=localhost port=389
suffix.name=example suffix.dc=com
 suffix.name=foo
 suffix.dc=example
 suffix.dc2=com
 suffix=dc=${suffix.name},dc=${suffix.dc},dc=${suffix.dc2}
# Here we are testing with slapd's root user.  Never do this in prod envs.
# This value contains dn of service account that has read/write access to fortress LDAP DIT:
root.dn=cn=Manager,${suffix}
# This the admin password:
cfg.root.pw=secret
# Specify the min/max settings for ADMIN conn pool w/ both read & write connections to default DB:
admin.min.conn=1
# The optimal setting for max is much fewer than concurrent number of users on system.
admin.max.conn=10
# Specify the min/max settings for USER conn pool with permission to bind to user objects as self:
user.min.conn=1
# The optimal setting for max will be much fewer than concurrent number of users.
user.max.conn=10
This step is optional.
# If you don't have slapo-access log overlay enabled, disable the Fortress audit with this param.
# 'true' turns it off.  The default is 'false'.
disable.audit=false
# This value contains dn of user that has read access to slapd access log database:
log.root.dn=cn=Manager,${log.suffix}
# This password is for same log user:
cfg.log.root.pw=secret
# The min/max settings for LOG pool w/ read permissions to slapo access log:
log.min.conn=1
# Very few needed because only used by AuditMgr during search operations:
log.max.conn=3
# Set more audit logger parameters (openldap only):
log.suffix=cn=log
# To enable slapd persistence on the following OpenLDAP operations:
log.ops=logops search bind writes
mvn clean install
mvn install -Dload.file=./ldap/setup/refreshLDAPData.xml
More usage notes of fortress build property files:
mvn install -Dload.file=./ldap/setup/refreshLDAPData.xml mvn install -Dload.file=./ldap/setup/DelegatedAdminManagerLoad.xml
These will build the Directory Information Tree, load the configuration node and security policy needed for integration testing. Never run in production environment as refreshLDAPData.xml tears down all nodes under the target suffix.
mvn -Dtest=FortressJUnitTest test
Tests that all of the APIs and security functions work on your LDAP server.
Tests run: Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 196 sec - in org.apache.directory.fortress.core.impl.FortressJUnitTest Results : Tests run: Failures: 0, Errors: 0, Skipped: 0 [INFO] [INFO] --- maven-antrun-plugin:1.8:run (default) @ fortress-core --- [INFO] Executing tasks fortress-load: [INFO] Executed tasks [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 03:19 min [INFO] Finished at: 2016-01-07T09:28:18-06:00 [INFO] Final Memory: 27M/532M [INFO] ------------------------------------------------------------------------
mvn -Dtest=FortressJUnitTest test
Tests run: Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 207.081 sec - in org.apache.directory.fortress.core.impl.FortressJUnitTest Results : Tests run: Failures: 0, Errors: 0, Skipped: 0 [INFO] [INFO] --- maven-antrun-plugin:1.8:run (default) @ fortress-core --- [INFO] Executing tasks fortress-load: [INFO] Executed tasks [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 03:30 min [INFO] Finished at: 2016-01-07T09:33:11-06:00 [INFO] Final Memory: 27M/531M [INFO] ------------------------------------------------------------------------
Notice that more tests ran this time vs the first time, due to teardown.
mvn install -Dload.file=./ldap/setup/refreshLDAPData.xml
Test Notes:
The Load utility is useful to create base policy configurations that need to be rerun many times in different test and production environments. For samples look here: ./ldap/setup.
e.g. myLoadFile.xml
mvn install -Dload.file=./ldap/setup/myLoadFile.xml
Policy Load Notes:
The CLI is useful for ad-hoc policy administration in runtime environments.
mvn -Pcli test
CommandLineInterpreter:176 - Startup to interactive mode success... CommandLineInterpreter:183 - CLI function groups include admin, review, system, dadmin, group CommandLineInterpreter:185 - Enter one from above or 'q' to quit
admin auser -u testuser1 -p mypasword123 -o dev1 2016-01-07 09:17:030 INFO CommandLineInterpreter:1078 - arg:admin 2016-01-07 09:17:030 INFO CommandLineInterpreter:1078 - arg:auser 2016-01-07 09:17:030 INFO CommandLineInterpreter:1078 - arg:-u 2016-01-07 09:17:030 INFO CommandLineInterpreter:1078 - arg:testuser1 2016-01-07 09:17:030 INFO CommandLineInterpreter:1078 - arg:-p 2016-01-07 09:17:030 INFO CommandLineInterpreter:1078 - arg:-o 2016-01-07 09:17:030 INFO CommandLineInterpreter:1078 - arg:dev1 2016-01-07 09:17:030 INFO CommandLineInterpreter:487 - auser 2016-01-07 09:17:030 INFO CommandLineInterpreter:683 - command:auser was successful 2016-01-07 09:17:030 INFO CommandLineInterpreter:183 - CLI function groups include admin, review, system, dadmin, group 2016-01-07 09:17:030 INFO CommandLineInterpreter:185 - Enter one from above or 'q' to quit
review fuser -u testuser1 2016-01-07 09:18:042 INFO CommandLineInterpreter:1078 - arg:review 2016-01-07 09:18:042 INFO CommandLineInterpreter:1078 - arg:fuser 2016-01-07 09:18:042 INFO CommandLineInterpreter:1078 - arg:-u 2016-01-07 09:18:042 INFO CommandLineInterpreter:1078 - arg:testuser1 2016-01-07 09:18:042 INFO CommandLineInterpreter:713 - fuser 2016-01-07 09:18:042 INFO CommandLineInterpreter:1443 - U CTR [0] 2016-01-07 09:18:042 INFO CommandLineInterpreter:1443 - U UID [testuser1] 2016-01-07 09:18:042 INFO CommandLineInterpreter:1443 - U IID [20ef2dfd-0b86-41a5-87d6-f7081e455d76] 2016-01-07 09:18:042 INFO CommandLineInterpreter:1443 - U CN [testuser1] 2016-01-07 09:18:042 INFO CommandLineInterpreter:1443 - U DESC [null] 2016-01-07 09:18:042 INFO CommandLineInterpreter:1443 - U OU [dev1] 2016-01-07 09:18:042 INFO CommandLineInterpreter:1443 - U SN [testuser1]
The Command Console is an interactive program that is allows ad-hoc edit and reporting on data stored in LDAP server.
mvn -Pconsole test
CHOOSE FUNCTION: 1. RBAC ADMIN MANAGER 2. RBAC REVIEW MANAGER 3. RBAC ACCESS MANAGER 4. ARBAC ADMIN MANAGER 5. ARBAC REVIEW MANAGER 6. ARBAC ACCESS MANAGER 7. PASSWORD POLICY MANAGER 8. AUDIT MANAGER 9. CONFIG MANAGER A. ENCRYPTION MANAGER B. GROUP MANAGER C. RBAC ACCELERATOR MANAGER Enter q or Q to quit
CHOOSE ADMIN MANAGER FUNCTION: 1. Add User 2. Update User 3. Delete User 4. Unlock User 5. Lock User Account 6. Reset User Password 7. Change User Password 8. Add Perm Object 9. Add Perm Operation 0. Delete Perm A. Add Role B. Update Role C. Delete Role D. Assign User to Role E. Deassign User from Role F. Grant Perm to Role G. Revoke Perm from Role H. Grant Perm to User I. Revoke Perm from User J. Add Role Inheritance K. Remove Role Inheritance L. Add Role Ascendant M. Add Role Descendant N. Add SSD Data Set O. Add DSD Data Set Enter q or Q to return to previous menu
CHOOSE REVIEW MANAGER FUNCTION: 0. Search Users 1. Search Users by OU 2. Get User by IID 3. Read User 4. Search Permissions 5. Read Permissions 6. Read Role 7. Search Roles 8. Perm Roles 9. Perm Users A. Authorized Users B. Role Permissions C. Get Assigned Roles Enter q or Q to return to previous menu
CHOOSE ACCESS MANAGER FUNCTION: 1. Authenticate 2. Create Session 3. Create Session Trusted 4. Create Session with Roles Trusted 5. Create Session with Props 6. Check Access - RBAC 7. Session Roles 8. Add Active Role to Session 9. Drop Active Role from Session 0. Show User Data in Session A. Show UserId in Session B. Session Permissions Enter q or Q to return to previous menu
mvn -Dtest=AllSamplesJUnitTest test
View and change the samples here: ./src/test/java/org/apache/directory/fortress/core/samples
Compile and re-run samples to test your changes using:
mvn -Dtest=AllSamplesJUnitTest test
AdminMgr adminMgr = AdminMgrFactory.createInstance(TestUtils.getContext()); Role inRole = new Role(CreateRoleSample.TEST_ROLE_PREFIX + i); // Permissions contain Object to Operation mapping and once created can then be targeted for assignment to Role entities in ldap: Permission inPerm = new Permission(TEST_PERM_OBJECT, TEST_PERM_OPERATION_PREFIX + j); // This API grant a Permission to a Role: adminMgr.grantPermission(inPerm, inRole);
Sample Notes:
This section describes the Apache Fortress jmeter test programs.
mvn install -Dload.file=./ldap/setup/LoadTestUsers.xml
A. Fortress CheckAccess: src/test/jmeter/ftCheckAccess.jmx
B. Fortress CreateSession: src/test/jmeter/ftCreateSession.jmx
C. Fortress SessionPermissions: src/test/jmeter/ftSessionPerms.jmx
D. Accelerator CheckAccess: src/test/jmeter/acCheckAccess.jmx
E. Accelerator CreateSession: src/test/jmeter/acCreateSession.jmx
These settings affect the length, duration, and the number of threads:
For example:
<ThreadGroup guiclass="ThreadGroupGui" testclass="ThreadGroup" testname="Fortress CreateSession" enabled="true">
    ...
    <elementProp name="ThreadGroup.main_controller" ...>
        <boolProp name="LoopController.continue_forever">false</boolProp>
        <stringProp name="LoopController.loops">1000</stringProp>
    </elementProp>
    <stringProp name="ThreadGroup.num_threads">10</stringProp>
    <stringProp name="ThreadGroup.ramp_time">10</stringProp>
    ...
</ThreadGroup>
This test will start ten threads in ten seconds. Each thread executes the createSession function 1000 times before terminating.
From FORTRESS_HOME folder, enter the following command from a system prompt:
A. Fortress CheckAccess:
mvn -Ploadtest jmeter:jmeter -Dtype=ftCheckAccess
B. Fortress CreateSession:
mvn -Ploadtest jmeter:jmeter -Dtype=ftCreateSession
C. Fortress SessionPermissions:
mvn -Ploadtest jmeter:jmeter -Dtype=ftSessionPerms
D. Accelerator CheckAccess:
mvn -Ploadtest jmeter:jmeter -Dtype=acCheckAccess
E. Accelerator CreateSession:
mvn -Ploadtest jmeter:jmeter -Dtype=acCreateSession
mvn install -Dload.file=./ldap/setup/refreshLDAPData.xml -Ddebug=5432
Which suspends the process waiting for connection on port specified, e.g. 5432.
fortress-load-debug:
     [echo] ############### Run Fortress Ant script to load policy ###############
 [startAnt] Listening for transport dt_socket at address: 5432
Set breakpoints in FortressAntTask
Connect with the JDB on the specified port.