Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: iplanet calendar server 5.0p2 exposes Netscape Admin Servermaster password
From: Adam Laurie <adam () ALGROUP CO UK>
Date: Tue, 1 May 2001 10:40:12 +0100

Marina.Davidovich () us hsbc COM wrote:

The LDAP server behind the iPlanet calendar server is not the same master LDAP
server which is used to contain user/group profiles, passwords, ACLs, SSL
certificates, or other sensitive company information.  It is only used to store
calendar-specific data and user preferences related to their calendar.  The
attached document describes the interaction of the iPlanet calendar server with
this calendar-specific database and has been signed-off by both the security and
architectural committees (see iPlanet Calendar Authentication and Registration
section, pg 8).

from the calendar installation guide
(http://docs.iplanet.com/docs/manuals/calendar/ics50/ig/icsigprp.htm#1017976):

  "If your users are already stored in an LDAP directory, the simplest
  solution for deploying iPlanet Calendar Server is to upgrade your
  directory server to Netscape Directory Server 4.12 (or later) which
  supports the schema extensions that enable users to access iPlanet
  Calendar Server data. Otherwise, you can modify your directory schema
  manually to allow your users to access to iPlanet Calendar Server
data."

the installation process requests admin username & password to your
existing LDAP server (a prerequisite for the install), and installs the
required schema updates. to do this it needs "root" access to the LDAP
server. it then stores the supplied username and password in the file
ics.conf, preceded by the comment:

  ! WARNING: DO NOT CHANGE OR DELETE THE FOLLOWING CONFIGURATION FILE
ENTRY.
  ! THIS ENTRY WAS AUTOMATICALLY GENERATED BY THE INSTALLATION PROGRAM.
  ! IT IS USED ONLY BY THE INSTALLATION AND UNINSTALLATION PROGRAMS.
  ! THIS ENTRY IS COMPLETELY IGNORED BY ALL OF THE INSTALLED PRODUCTS.
  ! IF YOU CHANGE OR DELETE THIS ENTRY, THE INSTALLATION AND
UNINSTALLATION
  ! PROGRAMS COULD FAIL THE NEXT TIME THEY ARE RUN.

and the entry itself:

  ! Bind credentials (password) for user specified in
local.authldapbinddn.
  local.authldapbindcred = "oopsilostmypassword"
  !
  ! DN used to bind to LDAP authentication host to search for user's dn.
  local.authldapbinddn =
"uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"

the LDAP server is usually a Netscape Directory Server. installation
notes from that product
(http://home.netscape.com/eng/server/directory/4.1/install/prepare.htm#1016382)
say:

  "All 4.x Netscape servers use an instance of the Directory Server to
store configuration information. This information is stored in the
o=NetscapeRoot directory tree. Your configuration directory is the
Directory Server that contains the o=NetscapeRoot tree used by your
Netscape servers."

the above server is administered by the netscape admin console
(/usr/netscape/server4/startconsole). using the username & password
provided earlier, and now found in ics.conf, full administrative access
to the Directory Server is granted, including access to SSL certs and
any other Netscape product information stored on that server.

The ics.conf configuration file does contain information about the
calendar-specific LDAP server so that the calendar server processes can connect
to it.

indeed. the calendar specific entries would appear to be:

  ! User specified as the iPlanet Calendar Server administrator.
  service.admin.calmaster.userid = "calmaster"
  ! Bind credentials (password) for user specified in
service.admin.calmaster.user id.
  service.admin.calmaster.cred = "fubar"

The ownership on the file is icsuser and group is icsgroup.  The
security mode on this file does not need to allow read access by anyone who is
not in the icsgroup.  Thus, the permissions may be set to - r w - r - - - - -
with no adverse effects.  This will secure the administrative access to this
calendar-specific LDAP serve.

i suggest iplanet do that by default then.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
Voysey House                  http://www.thebunker.net
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam () algroup co uk
UNITED KINGDOM                PGP key on keyservers


  By Date           By Thread  

Current thread:
  • Re: iplanet calendar server 5.0p2 exposes Netscape Admin Servermaster password Adam Laurie (May 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault