- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Remote Server Management
- >
- LDAPs no authentication?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2012 04:55 AM
08-23-2012 04:55 AM
LDAPs no authentication?
Hello. I am looking at directory-integration for iLO and I really can't trust it:
- You specify an LDAPs directory server
- You never specify a certificate (or any certificate) that must work with this server
Would not this mean that if an attacker can steal the IP of the Directory server he can also steal the credentials for any user logging on? Or at least use this for a man in the middle/proxy attack (iLO uses the users credentials when authenticating to the directory)?
Is there at least a warning if iLO encounters a new certificate when connecting to the directory server?
- Tags:
- LDAP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2012 04:58 AM
08-23-2012 04:58 AM
Re: LDAPs no authentication?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2012 01:50 AM
08-24-2012 01:50 AM
Re: LDAPs no authentication?
I managed to decrypt the LDAPS-authentication from ILO to my Domain Controller. It uses ldap simple bind, which basically transfers username/password in clear text. So if no verification of the certificate is done, this means that a MITM-attack will be able to steal the credentials of the user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2012 01:35 PM
08-24-2012 01:35 PM
Re: LDAPs no authentication?
If you are that concern about a potential MITM-attack in your environment, you should consider using Kerberos. Both iLO3 and iLO4 support it.
__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2012 08:36 AM
08-25-2012 08:36 AM
Re: LDAPs no authentication?
Its not that I am concerned that it will happen, but as an organization it is imperative to know that it can happen..
Anyways, the thing about it is that it would not be that hard to implement a verification technology - e.g. you upload the CA for the ldaps-server and everything would be fine (at least good enough - ldap simple bind should not be used though).
What annoys me the most is that HP actually has published a document trying to document how secure iLO is - but has left out any menton of the use of ldap simple bind and if the ldaps certificate is at any point verified. Kerberos is not mentioned at all.
Kerberos might work, but that also involved creating AD-objects for every iLO-interface, something that makes the implementation more complex.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2012 11:55 AM
08-26-2012 11:55 AM
Re: LDAPs no authentication?
I'm going to bring your concern to the iLO team.
__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2012 10:48 AM
08-27-2012 10:48 AM
Re: LDAPs no authentication?
Cheers!
I verified this attack today btw - it was how I suspected, which means directory authentication is not safe against a man-in-the-middle.
I believe Kerberos is safe - as long as you onlt use the "HP Zerologin"-button, if you enter credentials I believe it will use directory authentication as a fallback if it cannot authentication using Kerberos (again - a man in the middle attack). Kerberos is also not supported on iLO2/1 - I have not tried authentication with HP extended schema yet.
This would also be true for cpqlocfg.exe, which cannot verify the ssl-certificate of the iLO-interface... Of course you might possibly be able to download the certificate using xml and verify it by other means, but that would require two operations which means that an attack is possible. The problem with this is when/if you need to upload a new keytab(kerberos) or lom-password (ilo2), which could be hijacked. A workaround here is of course to distribute it through safe ways to the operating system and use local scripts to import them. (Or write your own script that works through XML or the web interface).