Comparing Distinguished LDAP Names

In a Bourne Shell script, a distinguished name (DN) for performing an LDAP-query is held in a variable:

dn="cn=Malmø,ou=County Capitals,dc=Sweden,dc=Europe"

For the purpose of demonstration, this example DN contains a non-ASCII character.

Let’s write a Bourne Shell function that escapes such special characters as requested by RFC 4514 using perl’s Net::LDAP::Util:

canonical_dn() {
    perl -s -MNet::LDAP::Util -e '
        print Net::LDAP::Util::canonical_dn($dn, mbcescape=>1)
    ' -- -dn="$1"
}

Let’s test the function:

echo "Unescaped DN: $dn"
echo "Escaped DN:   $(canonical_dn "$dn")"

The expected output is:

Unescaped DN: cn=Malmø,ou=County Capitals,dc=Sweden,dc=Europe
Escaped DN:   CN=Malm\c3\b8,OU=County Capitals,DC=Sweden,DC=Europe

With a normalized notation, DN values are more robust when sending them to external applications such as the OpenLDAP client tools (ldapsearch & Co.), and certain operations on DNs inside the shellscript itself become a bit more feasible.

But note: For various reasons, DNs can not be reliaby compared for equality, even if both are normalized using canonical_dn. For example, attributes can have a long and a short name, both are valid when denoting a DN, and the OID of an attribute can also be used when denoting a DN. The following DNs address identical entries:

  • cn=Malmø,ou=County Capitals,dc=Sweden,dc=Europe
  • commonName=Malmø,ou=County Capitals,dc=Sweden,dc=Europe
  • 2.5.4.3=Malmø,ou=County Capitals,dc=Sweden,dc=Europe

The information that all these notations of the same attribute commonName are identical is contained in the schema of the LDAP database that is being queried, and neither canonical_dn nor the shellscript can apply this information, this can only be done by an LDAP server.

This made me wonder if there is a canonical way of comparing two DN representations for identity using interaction with an LDAP directory access server. Apparently this is not so:

  • RFC 2251 lists „bind“, „search“, „modify“, „add“, „delete“ and „modify DN“ as supported message types.
  • RFC 2253 makes no mention of DN comparison.
  • I am not aware of an extended request for comparing DNs, at least not one that was widespread across implementations.  ldapwiki.com lists „cancel“, „password modify“, „StartTLS“ and „Who am I“ as known examples, ldap.com additionally lists „Start Transaction“ and „End Transaction“, calling them „standard extended operation types“.

Was manche Leute in ihrer „Datenschutzerklärung“ stehen haben …

Gesehen auf https://t3n.de/datenschutz/ am 23. Juli 2020, Zitat: „Eine Einwilligung in den Einsatz des Facebook-Pixels darf nur von Nutzern, die älter als 13 Jahre alt sind, erklärt werden. Falls Sie jünger sind, bitten wir Sie, Ihre Erziehungsberechtigten um Erlaubnis zu fragen.“

Das von t3n als „Datenschutzerklärung“ bezeichnete Dokument ist 110991 Zeichen in 13945 Wörtern lang; das obige Zitat erfolgt nach 40% des gesamten Texts bzw. nach 5681 Wörtern, die man hat lesen müssen, um bei dieser Information anzukommen. Eine so relevante Information, die nämlich mitteilt, dass unter 13 Jahre alte Benutzer die Webseite nur mit Einwilligung ihrer Erziehungsberechtigten verwenden dürfen, halte ich persönlich für reichlich unzugänglich.

Noch ein Zitat aus besagtem Dokument: „Facebook Inc. mit Sitz in den USA ist für das us-europäische Datenschutzübereinkommen „Privacy Shield“ zertifiziert, welches die Einhaltung des in der EU geltenden Datenschutzniveaus gewährleistet.“

Diese Aussage ist mit einem Urteil des europäischen Gerichtshofs vom 16. Juli 2020 als falsch festgestellt, und eine Änderung des Dokuments wird nötig sein. Das wäre vieleicht ein guter Anlass, auch an anderen Stellen in diesem Dokument für mehr Klarheit zu sorgen.

So it is possible …

Update August 28th 2021: I have identified some TLDs that apparently can be used for testing purposes. I have updated the text as indicated.

… to have DNS top level domains for bargains (.bargain), the bible (.bible), black friday (.blackfriday) and marketing and social networking (.buzz), but it is not possible to have a TLD reserved for documentation and testing purposes. Instead, (see Update below).

Examples that use „example.com“ are in widespread circulation,  a domain which is owned by IANA but points to a system controlled by Verizon, Inc.:

dig +short example.com
93.184.216.34

whois 93.184.216.34 | grep ^person
person: Derrick Sawyer

Search LinkedIn for Mr. Derrick Sawyer. 🙂

Update: I have to correct myself at this point: RFC 2606 propagates the following TLDs for testing purposes, they shall never be included in the root zone of public DNS:

  • .test – A TLD that will never be public and can be used in non-public DNS for testing/demonstration purposes.
  • .example – A TLD that will never be public and can be used in documentation.
  • .invalid – A TLD that will never be public and can be used in documentation, indicating DNS records that can not be resolved.

My advice is, to use these and do not use example.(com|org) or anything else in your documentation.

… to have browsers ship with DNS over HTTPS (DoH), pointing to Cloudflare, Inc. as provider, but there is no freely available DoH server. Instead, widespread examples combine Nginx, a freemium web proxy/server software controlled by F5, Inc., with a DNS resolver such as Unbound.

… to have all major DNS servers ship with an off-switch called „DNSSEC“, operated by Verisign, Inc., controlled by the government of the USA,but not one major DNS server software can serve DNS over HTTPS/TLS natively. Instead, again, constructs involving proxy software which will mess up access control are suggested by widespread documents.

DNS is messed up.

Sitzgelegenheit im Garten

Ich bin recht viel Zuhause die Tage 🙂 Da komme ich ab und zu auch wieder zum Basteln.

Vor ein paar Jahren hatte ich eine historische Parkbank aufwändig restauriert, wobei ich vom Gestell etwa vierzig Prozent abschneiden musste, da es unrettbar korrodiert war. Das Holz hatte ich mit handelsüblichen Kiefer-Leisten, geschliffen und mit Wetterschutz-Farbe ersetzt. Dann stand das Ding erstmal nur herum, da saß ich vielleicht dreimal im Jahr drauf, wenn’s hochkommt … fand ich immer schade. Weiterlesen … »

Endlich Sommer …

… im April. 😯

Determining User Access on a Linux Filesystem with „Classic Permissions“

Introduction

Looking at a Linux filesystem, checking if a certain file or directory is accessible for reading, writing or executing by certain users or groups poses interesting challenges.

Let the basic and seemingly simple question be: „Given a user X and a file Y, can it be determined if X has access to Y, and if yes, how can it be determined?“ A simple answer was: „Let X try to access Y, and if it does not work, X does not have that kind of access.“ However, this may not be feasible: The users, files and directories in question may not exist yet. More generally, access by users to files and directories should be predictable; appropriate access restrictions should be placed in advance, not after exposing possibly sensitive information. Also, certain types of access, such as deleting a file or directory, can not be simulated in a safe manner.

Moreover, a test procedure that just involves „trying to access the file“ may be incomplete: Just because the way the test procedure has attempted access did not succeed, that does not mean that there is no procedure at all by which the user in question can access the file.

This article investigates Linux filesystems that implement the semantics of „classic UNIX permissions“ in an effort to find more exhaustive methods of determining access.

The Backport of Bugfix #4864 to Squid Version 4

With SSL-bumping enabled, with an unpatched version of Squid, the service can crash with this errormessage: 

!Comm::MonitorsRead assertion in HttpStateData::maybeReadVirginBody()

This bug is fixed in Squid version 5, which was a sponsored effort by the developers of Squid. There is an effort of getting a bugfix into v4, which can be followed here.

There also is an unofficial backport of the v5 patch announced by Alex Rousskov here and attached here. It apparently fixes the crash (all my reproducible test cases were resolved by this patch, and i am not aware of side-effects). Some Linux distributions apply this patch to their packaged versions of Squid version 4, but unfortunately is not included with Debian GNU/Linux 10 „buster“, which is the current stable release.

Until then, the following describes a simple way of creating a locally patched version of the squid package:

apt -y install build-essential devscripts quilt
apt-get -y build-dep squid
cd /usr/src/packages
apt-get source squid
cd squid-4.6
curl -k https://bugs.squid-cache.org/attachment.cgi?id=3739 -o /tmp/4846.diff
quilt import /tmp/4846.diff
rm /tmp/4846.diff
debchange --local "~patch" --no-auto-nmu \
"Applied long term fix v4 take 2 for Squid bug 4864"
# Check debian/changelog
debuild
cd ..
ls squid*deb

This renders Debian packages of squid that can be installed using dpkg. The packages will have their version appended with local suffix „~patch1“. Change the value for option --local of debchange to control the version suffix. During above procedure, check debian/changelog where indicated to see if the result meets your requirements.

Taking an Online Backup of a SAMBA-4 ActiveDirectory

Notes:

  • The following procedure is available starting with SAMBA version 4.9.
  • The procedure can be performed on a host that is unrelated to the domain, but one domain controller must be reachable, must be used as a nameserver at the time of the backup and have open ports for DNS (53/tcp and /udp) SSH (22/tcp), LDAP (389/tcp), Kerberos (88/tcp and udp) and SMB (445/tcp).

1. On the machine that will be used to perform the backup, if not already present, install SAMBA.

apt -y install samba

2. Get the current smb.conf from the DC you want to query:

scp dc01.ad.example.com:/etc/samba/smb.conf ./smb.conf.dc01

3. Create a backup output directory:

mkdir samba-domain-backup

4. Ensure that /etc/resolv.conf contains the IP address of dc01 as the nameserver.

5. Perform the backup:

samba-tool domain backup online \
    --server=dc01.ad.example.com \
    --configfile=smb.conf.dc01 \
    --realm=AD.EXAMPLE.COM \
    --username=administrator@AD.EXAMPLE.COM \
    --targetdir=samba-domain-backup