[MXS-4689] LDAP user's connection successful when ssl was disabled on listener Created: 2023-07-31  Updated: 2023-09-05  Resolved: 2023-09-05

Status: Closed
Project: MariaDB MaxScale
Component/s: xpandmon
Affects Version/s: None
Fix Version/s: 23.08.0

Type: Bug Priority: Major
Reporter: Daman Saini (Inactive) Assignee: Esa Korhonen
Resolution: Won't Fix Votes: 0
Labels: None
Environment:

Xpand Build : transylvania-18710 (beta 1)
MaxScale :
https://mdbe-ci-repo.mariadb.net/public/Maxscale/MXS-4506_2807b/centos/7/x86_64/maxscale-99.99.99-1.rhel.7.x86_64.rpm

Sprint: MXS-SPRINT-190

 Description   

Current Issue
==========
With the authentication plugin set to clearpw_passthrouh on maxscale and ssl
disabled for listener, external LDAP user got successfully authenticated.
Xpand allowed the connection only because the connection from maxscale is over SSL

This is a potential security threat.

Expected Behaviour
===============
Without Maxscale, Xpand reject such connection requests for ldap users and mandates the requirement of SSL.

[root@mcrae ~]# mysql -h oak012white -P 3306 -u user1 -ppassword
 
ERROR 1 (HY000): [27650] Protocol error: The 'mysql_clear_password'
 
authentication plugin requires SSL to be enabled.

Maxscale too should ask for SSL for connections trying to negotiate over to mysql_clear_password.

Steps to Repro:

On xpand servers ssl=true, on maxscale listener ssl=false
===========================================

[root@mcrae ~]# cat /etc/maxscale.cnf
 
[maxscale]
 
log_info=1
 
logdir=/data/clustrix/log
 
threads=auto
 
      
[xpand1]
 
type=server
 
address=10.2.16.26
 
port=3306
 
protocol=mariadbbackend
 
ssl=true
 
ssl_cert=/etc/ssl/maxscale/server-cert.pem
 
ssl_key=/etc/ssl/maxscale/server-key.pem
 
ssl_ca=/etc/ssl/maxscale/ca-cert.pem
 
 
 
[xpand2]
 
type=server
 
address=10.2.16.25
 
port=3306
 
protocol=mariadbbackend
 
ssl=true
 
ssl_cert=/etc/ssl/maxscale/server-cert.pem
 
ssl_key=/etc/ssl/maxscale/server-key.pem
 
ssl_ca=/etc/ssl/maxscale/ca-cert.pem
 
 
 
[xpand3]
 
type=server
 
address=10.2.16.24
 
port=3306
 
protocol=mariadbbackend
 
ssl=true
 
ssl_cert=/etc/ssl/maxscale/server-cert.pem
 
ssl_key=/etc/ssl/maxscale/server-key.pem
 
ssl_ca=/etc/ssl/maxscale/ca-cert.pem
 
      
# Backend specific monitor and router:
 
[Backend-Monitor]
 
type=monitor
 
module=xpandmon
 
servers=xpand1,xpand2,xpand3
 
user=maxscale
 
password=maxscale_pw
 
cluster_monitor_interval=10000ms
 
dynamic_node_detection=false
 
      
[Read-Only-Service]
 
type=service
 
router=readconnroute
 
user=maxscale
 
password=maxscale_pw
 
router_options=running
 
cluster=Backend-Monitor
 
      
[Read-Only-Listener]
 
type=listener
 
service=Read-Only-Service
 
protocol=MariaDBClient
 
address=0.0.0.0
 
port=3307
 
authenticator=pamauth
 
authenticator_options=pam_backend_mapping=clearpw_passthrough
 
ssl=false
 
ssl_cert=/etc/ssl/maxscale/client-cert.pem
 
ssl_key=/etc/ssl/maxscale/client-key.pem
 
ssl_ca=/etc/ssl/maxscale/ca-cert.pem

Make a non-ssl client connection for ldap user via maxscale
============================================
The client connection is not secure but the user gets authenticated and
authorised successfully.

[root@mcrae ~]# mysql -h mcrae -P 3307 -u user1 -ppassword

MySQL [(none)]> \s
 
--------------
 
mysql  Ver 15.1 Distrib 5.5.68-MariaDB, for Linux (x86_64) using readline 5.1
 
 
 
Connection id:          4
 
Current database:       
Current user:           user1@mcrae.colo.sproutsys.com
 
SSL:                    Not in use
 
Current pager:          stdout
 
Using outfile:          ''
 
Using delimiter:        ;
 
Server:                 MySQL
 
Server version:         5.0.45-Xpand-transylvania-18710 
Protocol version:       10
 
Connection:             mcrae via TCP/IP
 
Server characterset:    utf8
 
Db     characterset:    utf8
 
Client characterset:    utf8
 
Conn.  characterset:    utf8
 
TCP port:               3307
 
MariaDB Xpand:                  1 sec
 
 
 
--------------
 
 
 
MySQL [(none)]> select current_user();
 
+------------------------------------+
 
| current_user()                     |
 
+------------------------------------+
 
| 'user1'@'mcrae.colo.sproutsys.com' |
 
+------------------------------------+
 
1 row in set (0.00 sec)
 
 
 
MySQL [(none)]> show grants;
 
+----------------------------------------------------------+
 
| Grants for user1@mcrae.colo.sproutsys.com                |
 
+----------------------------------------------------------+
 
| GRANT USAGE ON *.* TO 'user1'@'mcrae.colo.sproutsys.com' |
 
| GRANT `admins` TO 'user1'@'mcrae.colo.sproutsys.com'     |
 
| GRANT USAGE ON *.* TO 'admins'                           |
 
| GRANT `workers` TO 'user1'@'mcrae.colo.sproutsys.com'    |
 
| GRANT USAGE ON *.* TO 'workers'                          |
 
+----------------------------------------------------------+
 
5 rows in set (0.02 sec)

Xpand logs:
========

[root@oak012white ~]# clx --start '2023-07-31 18:32:01' logdump
 
[root@oak012white ~]# clx --start '2023-07-31 18:32:01' logdump debug.log
 
 2023-07-31 18:32:56.275531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG mysql/server/mysql_proto.c:639 server_switch_ldap_auth_message(): requesting server and client switch auth plugin to 'mysql_clear_password'
 
 2023-07-31 18:32:56.276531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG mysql/server/mysql_proto.c:582 ldap_auth_dns_done(): ldap_auth_dns: resolved host for 'user1'@'10.2.12.190': 'mcrae.colo.sproutsys.com'
 
 2023-07-31 18:32:56.276531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:845 ldap_open_impl_latched(): selected LDAP server ldaps://karma049.colo.sproutsys.com
 
 2023-07-31 18:32:56.276531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:691 ldap_bind_impl(): ldap_bind: dn: uid=user1,ou=users,ou=division1,dc=damanldap,dc=com
 
 2023-07-31 18:32:56.299531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:845 ldap_open_impl_latched(): selected LDAP server ldaps://karma049.colo.sproutsys.com
 
 2023-07-31 18:32:56.299531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:691 ldap_bind_impl(): ldap_bind: dn: uid=query1,ou=query,dc=damanldap,dc=com 
 2023-07-31 18:32:56.319531 UTC nid 2 oak012white.colo.sproutsys.com clxnode: DEBUG core/ldap.c:622 ldap_query_bind_done(): ldap_query: "ldaps://karma049.colo.sproutsys.com/ou=division1,dc=damanldap,dc=com?dn?sub?(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=user1,ou=users,ou=division1,dc=damanldap,dc=com))", dn: ou=division1,dc=damanldap,dc=com, scope: sub, filter: (&(objectClass=groupOfUniqueNames)(uniqueMember=uid=user1,ou=users,ou=division1,dc=damanldap,dc=com))

Maxscale logs:
===========

2023-07-31 18:32:56   info   : (4) [MariaDBProtocol] Connection attributes: no attributes
 
 2023-07-31 18:32:56   info   : (4) [readconnroute] (Read-Only-Service); New session for server xpand1. Connections : 1
 
 2023-07-31 18:32:56   info   : (4) Started Read-Only-Service client session [4] for 'user1' from 10.2.12.190
 
 2023-07-31 18:32:56   info   : (4) Connected to 'xpand1' with thread id 339970
 
 2023-07-31 18:32:56   info   : (4) Authentication to 'xpand1' succeeded.
 
 2023-07-31 18:32:56   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 37, type: sql::TYPE_READ|sql::TYPE_SYSVAR_READ, stmt: select @@version_comment limit 1 
 2023-07-31 18:32:56   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 71B
 
 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 38, type: sql::TYPE_READ, stmt: select DATABASE(), USER() limit 1 
 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 127B
 
 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 120, type: sql::TYPE_READ|sql::TYPE_SYSVAR_READ, stmt: select @@character_set_client, @@character_set_connection, @@character_set_server, @@character_set_database limit 1 
 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 245B
 
 2023-07-31 18:34:06   warning: (4) [pp_sqlite] (Read-Only-Service); The provided buffer does not contain SQL.
 
 2023-07-31 18:34:06   error  : (4) [pp_sqlite] (Read-Only-Service); The query could not be parsed. Either memory could not be allocated or there was no SQL to parse.
 
 2023-07-31 18:34:06   warning: (4) [pp_sqlite] (Read-Only-Service); The provided buffer does not contain SQL.
 
 2023-07-31 18:34:06   error  : (4) [pp_sqlite] (Read-Only-Service); The query could not be parsed. Either memory could not be allocated or there was no SQL to parse.
 
 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x09) COM_STATISTICS, plen: 5, type: N/A, stmt:  
 2023-07-31 18:34:06   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Unknown result type
 
 2023-07-31 18:34:20   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 26, type: sql::TYPE_READ, stmt: select current_user() 
 2023-07-31 18:34:20   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 1 rows in 102B
 
 2023-07-31 18:34:25   info   : (4) [readconnroute] (Read-Only-Service); Routed to 'xpand1': cmd: (0x03) COM_QUERY, plen: 16, type: sql::TYPE_READ, stmt: show grants 
 2023-07-31 18:34:25   info   : (4) [readconnroute] (Read-Only-Service); Reply complete from 'xpand1': Resultset: 5 rows in 378B



 Comments   
Comment by Daman Saini (Inactive) [ 2023-08-15 ]

https://mdbe-ci-repo.mariadb.net/public/Maxscale/MXS-4506_0208/
and Xpand-transylvania-18728

With Server and Listener having SSL=True on Maxscale side , if the user does not give/use --ssl in mysql client cmd, the maxscale does not allow the user to login which is what we want unless we do mistake of not configuring SSL for listener then only we hit MXS-4689

[root@karma108 ~]# date ;mysql -h karma048 -P 4008 -u ldap_school_admin1_user -p'Abcd@1234'
 
Wed Aug  9 18:38:12 UTC 2023
 
ERROR 1045 (28000): Access denied for user 'ldap_school_admin1_user'@'10.2.13.91' (using password: YES)

No log in Xpand as maxscale itself killed this request with below logs in maxscale.log

2023-08-09 18:38:12   info   : (4) [MariaDBProtocol] Connection attributes: no attributes
 
2023-08-09 18:38:12   warning: (4) [MariaDBProtocol] Authentication failed for user 'ldap_school_admin1_user'@[10.2.13.91] to service 'RCR'. Originating listener: 'RCR-Listener'. MariaDB error: 'Access denied for user 'ldap_school_admin1_user'@'10.2.13.91' (using password: YES)'.
 
2023-08-09 18:38:12   info   : (4) [MariaDBProtocol] Client ‘ldap_school_admin1_user’@‘10.2.13.91’ tried to log in without SSL when listener 'RCR-Listener' is configured to require it.
 
2023-08-09 18:38:12   info   : (4) Stopped RCR client session [4]

Generated at Thu Feb 08 04:30:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.