User Collisions Between Linux System and LDAP Server – What Happens?

exploitopenldapuser-accounts

I have an (Open)LDAP Server running on a Debian system inside my LAN, and multiple systems running Linux Mint, configured as LDAP Clients.

Here is the content of my /etc/nsswitch.conf:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       ldap

My question is: What happens if the LDAP Server introduces user collisions (uid/username)?
Can this be exploited to gain root access on the clients?
Is the LDAP Server the single-point-of-failure in this regard?
Can this be prevented?

I know I asked 4 questions, but all of them are on the same topic: "user collisions".

Thanks!

Best Answer

Collision with uid: If user A from LDAP and user B from /etc/passwd have the same UID, both can access the files of the other - effectively they are the same user.
Collision with username: When logging in, the first database will be queried. In your example, an LDAP user could not log in
Root exploit: If you have a UID collision and one of the users have sudo rights or something similar, the other user will have as well (as I said, they are effectively the same user).
LDAP is not the point of failure in this - you can even have multiple usernames with the same uid in just /etc/passwd. Preventing this means to make sure you have no collisions before connecting to LDAP and afterwards, only add users to LDAP, not to local files (except for service accounts). This is your responsibility and the system does not protect you in this case.

Best Answer

Related Solutions

Linux – Common user accounts between linux machines

Configuring Amazon Linux authenticate to LDAP server

Related Topic