[MXS-4689] LDAP user's connection successful when ssl was disabled on listener - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: 23.08.0
Component/s: xpandmon
Labels:
None
Environment:

Hide
Xpand Build : transylvania-18710 (beta 1)
MaxScale :
https://mdbe-ci-repo.mariadb.net/public/Maxscale/MXS-4506_2807b/centos/7/x86_64/maxscale-99.99.99-1.rhel.7.x86_64.rpm

Show
Xpand Build : transylvania-18710 (beta 1) MaxScale : https://mdbe-ci-repo.mariadb.net/public/Maxscale/MXS-4506_2807b/centos/7/x86_64/maxscale-99.99.99-1.rhel.7.x86_64.rpm

Sprint:
MXS-SPRINT-190

Description

Current Issue
==========
With the authentication plugin set to clearpw_passthrouh on maxscale and ssl
disabled for listener, external LDAP user got successfully authenticated.
Xpand allowed the connection only because the connection from maxscale is over SSL

This is a potential security threat.

Expected Behaviour
===============
Without Maxscale, Xpand reject such connection requests for ldap users and mandates the requirement of SSL.

[root@mcrae ~]# mysql -h oak012white -P 3306 -u user1 -ppassword

ERROR 1 (HY000): [27650] Protocol error: The 'mysql_clear_password'

authentication plugin requires SSL to be enabled.

Maxscale too should ask for SSL for connections trying to negotiate over to mysql_clear_password.

Steps to Repro:

On xpand servers ssl=true, on maxscale listener ssl=false
===========================================

[root@mcrae ~]# cat /etc/maxscale.cnf

[maxscale]

log_info=1

logdir=/data/clustrix/log

threads=auto

[xpand1]

type=server

address=10.2.16.26

port=3306

protocol=mariadbbackend

ssl=true

ssl_cert=/etc/ssl/maxscale/server-cert.pem

ssl_key=/etc/ssl/maxscale/server-key.pem

ssl_ca=/etc/ssl/maxscale/ca-cert.pem

[xpand2]

type=server

address=10.2.16.25

port=3306

protocol=mariadbbackend

ssl=true

ssl_cert=/etc/ssl/maxscale/server-cert.pem

ssl_key=/etc/ssl/maxscale/server-key.pem

ssl_ca=/etc/ssl/maxscale/ca-cert.pem

[xpand3]

type=server

address=10.2.16.24

port=3306

protocol=mariadbbackend

ssl=true

ssl_cert=/etc/ssl/maxscale/server-cert.pem

ssl_key=/etc/ssl/maxscale/server-key.pem

ssl_ca=/etc/ssl/maxscale/ca-cert.pem

# Backend specific monitor and router:

[Backend-Monitor]

type=monitor

module=xpandmon

servers=xpand1,xpand2,xpand3

user=maxscale

password=maxscale_pw

cluster_monitor_interval=10000ms

dynamic_node_detection=false

[Read-Only-Service]

type=service

router=readconnroute

user=maxscale

password=maxscale_pw

router_options=running

cluster=Backend-Monitor

[Read-Only-Listener]

type=listener

service=Read-Only-Service

protocol=MariaDBClient

address=0.0.0.0

port=3307

authenticator=pamauth

authenticator_options=pam_backend_mapping=clearpw_passthrough

ssl=false

ssl_cert=/etc/ssl/maxscale/client-cert.pem

ssl_key=/etc/ssl/maxscale/client-key.pem

ssl_ca=/etc/ssl/maxscale/ca-cert.pem

Make a non-ssl client connection for ldap user via maxscale
============================================
The client connection is not secure but the user gets authenticated and
authorised successfully.

[root@mcrae ~]# mysql -h mcrae -P 3307 -u user1 -ppassword

MySQL [(none)]> \s

--------------

mysql  Ver 15.1 Distrib 5.5.68-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:          4

Current database:

Current user:           user1@mcrae.colo.sproutsys.com

SSL:                    Not in use

Current pager:          stdout

Using outfile:          ''

Using delimiter:        ;

Server:                 MySQL

Server version:         5.0.45-Xpand-transylvania-18710

Protocol version:       10

Connection:             mcrae via TCP/IP

Server characterset:    utf8

Db     characterset:    utf8

Client characterset:    utf8

Conn.  characterset:    utf8

TCP port:               3307

MariaDB Xpand:                  1 sec

--------------

MySQL [(none)]> select current_user();

+------------------------------------+

| current_user()                     |

+------------------------------------+

| 'user1'@'mcrae.colo.sproutsys.com' |

+------------------------------------+

1 row in set (0.00 sec)

MySQL [(none)]> show grants;

+----------------------------------------------------------+

| Grants for user1@mcrae.colo.sproutsys.com                |

+----------------------------------------------------------+

| GRANT USAGE ON *.* TO 'user1'@'mcrae.colo.sproutsys.com' |

| GRANT `admins` TO 'user1'@'mcrae.colo.sproutsys.com'     |

| GRANT USAGE ON *.* TO 'admins'                           |

| GRANT `workers` TO 'user1'@'mcrae.colo.sproutsys.com'    |

| GRANT USAGE ON *.* TO 'workers'                          |

+----------------------------------------------------------+

5 rows in set (0.02 sec)

Xpand logs:
========

[root@oak012white ~]# clx --start '2023-07-31 18:32:01' logdump

[root@oak012white ~]# clx --start '2023-07-31 18:32:01' logdump debug.log

 2023-07-31 18:32:56.275531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG mysql/server/mysql_proto.c:639 server_switch_ldap_auth_message(): requesting server and client switch auth plugin to 'mysql_clear_password'

 2023-07-31 18:32:56.276531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG mysql/server/mysql_proto.c:582 ldap_auth_dns_done(): ldap_auth_dns: resolved host for 'user1'@'10.2.12.190': 'mcrae.colo.sproutsys.com'

 2023-07-31 18:32:56.276531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:845 ldap_open_impl_latched(): selected LDAP server ldaps://karma049.colo.sproutsys.com

 2023-07-31 18:32:56.276531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:691 ldap_bind_impl(): ldap_bind: dn: uid=user1,ou=users,ou=division1,dc=damanldap,dc=com

 2023-07-31 18:32:56.299531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:845 ldap_open_impl_latched(): selected LDAP server ldaps://karma049.colo.sproutsys.com

 2023-07-31 18:32:56.299531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:691 ldap_bind_impl(): ldap_bind: dn: uid=query1,ou=query,dc=damanldap,dc=com

 2023-07-31 18:32:56.319531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:622 ldap_query_bind_done(): ldap_query: "ldaps://karma049.colo.sproutsys.com/ou=division1,dc=damanldap,dc=com?dn?sub?(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=user1,ou=users,ou=division1,dc=damanldap,dc=com))", dn: ou=division1,dc=damanldap,dc=com, scope: sub, filter: (&(objectClass=groupOfUniqueNames)(uniqueMember=uid=user1,ou=users,ou=division1,dc=damanldap,dc=com))

Maxscale logs:
===========

2023-07-31 18:32:56   info   : (4) [MariaDBProtocol] Connection attributes: no attributes

 2023-07-31 18:32:56   info   : (4) [readconnroute] (Read-Only-Service); New session for server xpand1. Connections : 1

 2023-07-31 18:32:56   info   : (4) Started Read-Only-Service client session [4] for 'user1' from 10.2.12.190

 2023-07-31 18:32:56   info   : (4) Connected to 'xpand1' with thread id 339970

 2023-07-31 18:32:56   info   : (4) Authentication to 'xpand1' succeeded.

 2023-07-31 18:32:56   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 37, type: sql::TYPE_READ|sql::TYPE_SYSVAR_READ, stmt: select @@version_comment limit 1

 2023-07-31 18:32:56   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 71B

 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 38, type: sql::TYPE_READ, stmt: select DATABASE(), USER() limit 1

 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 127B

 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 120, type: sql::TYPE_READ|sql::TYPE_SYSVAR_READ, stmt: select @@character_set_client, @@character_set_connection, @@character_set_server, @@character_set_database limit 1

 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 245B

 2023-07-31 18:34:06   warning: (4) [pp_sqlite] (Read-Only-Service); The provided buffer does not contain SQL.

 2023-07-31 18:34:06   error  : (4) [pp_sqlite] (Read-Only-Service); The query could not be parsed. Either memory could not be allocated or there was no SQL to parse.

 2023-07-31 18:34:06   warning: (4) [pp_sqlite] (Read-Only-Service); The provided buffer does not contain SQL.

 2023-07-31 18:34:06   error  : (4) [pp_sqlite] (Read-Only-Service); The query could not be parsed. Either memory could not be allocated or there was no SQL to parse.

 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x09) COM_STATISTICS, plen: 5, type: N/A, stmt:

 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Unknown result type

 2023-07-31 18:34:20   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 26, type: sql::TYPE_READ, stmt: select current_user()

 2023-07-31 18:34:20   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 102B

 2023-07-31 18:34:25   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 16, type: sql::TYPE_READ, stmt: show grants

 2023-07-31 18:34:25   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 5 rows in 378B

Attachments

Activity

People

Assignee:: Esa Korhonen

Reporter:: Daman Saini (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023-07-31 22:17

Updated:: 2023-09-05 16:22

Resolved:: 2023-09-05 16:22

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.