Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-4689

LDAP user's connection successful when ssl was disabled on listener

    XMLWordPrintable

Details

    • MXS-SPRINT-190

    Description

      Current Issue
      ==========
      With the authentication plugin set to clearpw_passthrouh on maxscale and ssl
      disabled for listener, external LDAP user got successfully authenticated.
      Xpand allowed the connection only because the connection from maxscale is over SSL

      This is a potential security threat.

      Expected Behaviour
      ===============
      Without Maxscale, Xpand reject such connection requests for ldap users and mandates the requirement of SSL.

      [root@mcrae ~]# mysql -h oak012white -P 3306 -u user1 -ppassword
      ERROR 1 (HY000): [27650] Protocol error: The 'mysql_clear_password'
      authentication plugin requires SSL to be enabled.
      

      Maxscale too should ask for SSL for connections trying to negotiate over to mysql_clear_password.

      Steps to Repro:

      On xpand servers ssl=true, on maxscale listener ssl=false
      ===========================================

      [root@mcrae ~]# cat /etc/maxscale.cnf
      [maxscale]
      log_info=1
      logdir=/data/clustrix/log
      threads=auto
            
      [xpand1]
      type=server
      address=10.2.16.26
      port=3306
      protocol=mariadbbackend
      ssl=true
      ssl_cert=/etc/ssl/maxscale/server-cert.pem
      ssl_key=/etc/ssl/maxscale/server-key.pem
      ssl_ca=/etc/ssl/maxscale/ca-cert.pem
       
      [xpand2]
      type=server
      address=10.2.16.25
      port=3306
      protocol=mariadbbackend
      ssl=true
      ssl_cert=/etc/ssl/maxscale/server-cert.pem
      ssl_key=/etc/ssl/maxscale/server-key.pem
      ssl_ca=/etc/ssl/maxscale/ca-cert.pem
       
      [xpand3]
      type=server
      address=10.2.16.24
      port=3306
      protocol=mariadbbackend
      ssl=true
      ssl_cert=/etc/ssl/maxscale/server-cert.pem
      ssl_key=/etc/ssl/maxscale/server-key.pem
      ssl_ca=/etc/ssl/maxscale/ca-cert.pem
            
      # Backend specific monitor and router:
      [Backend-Monitor]
      type=monitor
      module=xpandmon
      servers=xpand1,xpand2,xpand3
      user=maxscale
      password=maxscale_pw
      cluster_monitor_interval=10000ms
      dynamic_node_detection=false
            
      [Read-Only-Service]
      type=service
      router=readconnroute
      user=maxscale
      password=maxscale_pw
      router_options=running
      cluster=Backend-Monitor
            
      [Read-Only-Listener]
      type=listener
      service=Read-Only-Service
      protocol=MariaDBClient
      address=0.0.0.0
      port=3307
      authenticator=pamauth
      authenticator_options=pam_backend_mapping=clearpw_passthrough
      ssl=false
      ssl_cert=/etc/ssl/maxscale/client-cert.pem
      ssl_key=/etc/ssl/maxscale/client-key.pem
      ssl_ca=/etc/ssl/maxscale/ca-cert.pem
      

      Make a non-ssl client connection for ldap user via maxscale
      ============================================
      The client connection is not secure but the user gets authenticated and
      authorised successfully.

      [root@mcrae ~]# mysql -h mcrae -P 3307 -u user1 -ppassword

      MySQL [(none)]> \s
      --------------
      mysql  Ver 15.1 Distrib 5.5.68-MariaDB, for Linux (x86_64) using readline 5.1
       
      Connection id:          4
      Current database:       
      Current user:           user1@mcrae.colo.sproutsys.com
      SSL:                    Not in use
      Current pager:          stdout
      Using outfile:          ''
      Using delimiter:        ;
      Server:                 MySQL
      Server version:         5.0.45-Xpand-transylvania-18710 
      Protocol version:       10
      Connection:             mcrae via TCP/IP
      Server characterset:    utf8
      Db     characterset:    utf8
      Client characterset:    utf8
      Conn.  characterset:    utf8
      TCP port:               3307
      MariaDB Xpand:                  1 sec
       
      --------------
       
      MySQL [(none)]> select current_user();
      +------------------------------------+
      | current_user()                     |
      +------------------------------------+
      | 'user1'@'mcrae.colo.sproutsys.com' |
      +------------------------------------+
      1 row in set (0.00 sec)
       
      MySQL [(none)]> show grants;
      +----------------------------------------------------------+
      | Grants for user1@mcrae.colo.sproutsys.com                |
      +----------------------------------------------------------+
      | GRANT USAGE ON *.* TO 'user1'@'mcrae.colo.sproutsys.com' |
      | GRANT `admins` TO 'user1'@'mcrae.colo.sproutsys.com'     |
      | GRANT USAGE ON *.* TO 'admins'                           |
      | GRANT `workers` TO 'user1'@'mcrae.colo.sproutsys.com'    |
      | GRANT USAGE ON *.* TO 'workers'                          |
      +----------------------------------------------------------+
      5 rows in set (0.02 sec)
      
      

      Xpand logs:
      ========

      [root@oak012white ~]# clx --start '2023-07-31 18:32:01' logdump
      [root@oak012white ~]# clx --start '2023-07-31 18:32:01' logdump debug.log
       2023-07-31 18:32:56.275531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG mysql/server/mysql_proto.c:639 server_switch_ldap_auth_message(): requesting server and client switch auth plugin to 'mysql_clear_password'
       2023-07-31 18:32:56.276531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG mysql/server/mysql_proto.c:582 ldap_auth_dns_done(): ldap_auth_dns: resolved host for 'user1'@'10.2.12.190': 'mcrae.colo.sproutsys.com'
       2023-07-31 18:32:56.276531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:845 ldap_open_impl_latched(): selected LDAP server ldaps://karma049.colo.sproutsys.com
       2023-07-31 18:32:56.276531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:691 ldap_bind_impl(): ldap_bind: dn: uid=user1,ou=users,ou=division1,dc=damanldap,dc=com
       2023-07-31 18:32:56.299531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:845 ldap_open_impl_latched(): selected LDAP server ldaps://karma049.colo.sproutsys.com
       2023-07-31 18:32:56.299531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:691 ldap_bind_impl(): ldap_bind: dn: uid=query1,ou=query,dc=damanldap,dc=com 
       2023-07-31 18:32:56.319531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:622 ldap_query_bind_done(): ldap_query: "ldaps://karma049.colo.sproutsys.com/ou=division1,dc=damanldap,dc=com?dn?sub?(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=user1,ou=users,ou=division1,dc=damanldap,dc=com))", dn: ou=division1,dc=damanldap,dc=com, scope: sub, filter: (&(objectClass=groupOfUniqueNames)(uniqueMember=uid=user1,ou=users,ou=division1,dc=damanldap,dc=com))
      
      

      Maxscale logs:
      ===========

      2023-07-31 18:32:56   info   : (4) [MariaDBProtocol] Connection attributes: no attributes
       2023-07-31 18:32:56   info   : (4) [readconnroute] (Read-Only-Service); New session for server xpand1. Connections : 1
       2023-07-31 18:32:56   info   : (4) Started Read-Only-Service client session [4] for 'user1' from 10.2.12.190
       2023-07-31 18:32:56   info   : (4) Connected to 'xpand1' with thread id 339970
       2023-07-31 18:32:56   info   : (4) Authentication to 'xpand1' succeeded.
       2023-07-31 18:32:56   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 37, type: sql::TYPE_READ|sql::TYPE_SYSVAR_READ, stmt: select @@version_comment limit 1 
       2023-07-31 18:32:56   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 71B
       2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 38, type: sql::TYPE_READ, stmt: select DATABASE(), USER() limit 1 
       2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 127B
       2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 120, type: sql::TYPE_READ|sql::TYPE_SYSVAR_READ, stmt: select @@character_set_client, @@character_set_connection, @@character_set_server, @@character_set_database limit 1 
       2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 245B
       2023-07-31 18:34:06   warning: (4) [pp_sqlite] (Read-Only-Service); The provided buffer does not contain SQL.
       2023-07-31 18:34:06   error  : (4) [pp_sqlite] (Read-Only-Service); The query could not be parsed. Either memory could not be allocated or there was no SQL to parse.
       2023-07-31 18:34:06   warning: (4) [pp_sqlite] (Read-Only-Service); The provided buffer does not contain SQL.
       2023-07-31 18:34:06   error  : (4) [pp_sqlite] (Read-Only-Service); The query could not be parsed. Either memory could not be allocated or there was no SQL to parse.
       2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x09) COM_STATISTICS, plen: 5, type: N/A, stmt:  
       2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Unknown result type
       2023-07-31 18:34:20   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 26, type: sql::TYPE_READ, stmt: select current_user() 
       2023-07-31 18:34:20   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 102B
       2023-07-31 18:34:25   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 16, type: sql::TYPE_READ, stmt: show grants 
       2023-07-31 18:34:25   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 5 rows in 378B
      

      Attachments

        Activity

          People

            esa.korhonen Esa Korhonen
            damansaini Daman Saini (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.