When an application fails to properly sanitize user input, it is possible to modify LDAP statements through techniques similar to SQL Injection.
Tag: Lightweight Directory Access Protocol
Sql ldap query
The problem was the Complex Query Processing. LDAP injection works in much the same manner as SQL injection, a type of security exploit in which …
Related:
AppSec Advisor: Injection Attacks
This includes vectors such as SQL injection (the most commonly known type), code injections, LDAP injection, and many more. Depending on the kind …
Related:
Custom Plugin & Attribute having issues with LDAP Lookup.
I need a solution
Hi All,
I’ve successfully integrated our proxy via ICAP which is feeding our Web Prevent Server.
I noticed the username was showing up as “local://sAMaccountname@domain.com”. I added a new plugin successfully which outputs Username=sAMaccountname after parsing the ‘sender-email’ argument. I then created a custom Attribute in our Employee field called “Username”. We did not have this value prior. My custom script successfully populates the new “Username” field.
My plugin Chain is as follows:
- Custom ICAP Username Parse
- LDAP
The exsting LDAP Plugin is as follows:
attr.Employee = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):displayName
attr.Employee Email = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):mail
attr.Employee FirstName = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):givenName
attr.Employee LastName = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):sn
attr.Employee Title = :(|(mail=$sender-email$)(sAMAccountName=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):title
attr.Employee Dept = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):department
attr.Employee Division = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):division
attr.Cost Center = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):ou
attr.TempManager = :(|(mail=$sender-email$)(mail=$data-owner-email$)(sAMAccountName=$endpoint-user-name$)):manager
attr.Supervisor First Name = :(distinguishedname=$TempManager$):givenName
attr.Supervisor Last Name = :(distinguishedname=$TempManager$):sn
attr.Supervisor Email = :(distinguishedname=$TempManager$):mailWhen I generate a new ICAP event, DLP successfully executes my custom plugin and fills in the attribute “Username” with what is parsed as the AD sAMaccoutname. All other fields are blank and from my understanding its due to my LDAP plugin missing the new field to lookup with.
1) I’ve tried to modify my LDAP lookup by adding (sAMAccountName=$Username$) but the lookup never works for Network Events and does not autopopulate or populate with a manual lookup. I may be doing this incorrectly but I tried multiple ways. I’m not sure if my order is maybe incorrect? I need some guidance here.
2) After this change, Endpoint Incidents do not populate any custom attribute fields and when i click on “Lookup” an error message occurs with “Custom Attribute Lookup failed”. I think this is due to my new custom attribute called “Username”
I think I’m missing something easy here but I’m not too sure at this point I’m getting confused. Maybe how I modified my LDAP plugin?
Any guidance at this point would be apperciated.
0
Related:
Classes used to prevent ldap injection in java
When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to SQL Injection.
Related:
What is “LDAP no such user xxx” and “RADIUS IP attribute missing, packet dropped”
I need a solution
Hi
I just wonder what is the meaning of these logs because it is generated almost everyday and too many. I cannot find any KB or article about these logs. Is there a way to stop these logs?
Note: This is ProxyASG S400-30 Version 6.7.3.14
2019-07-26 15:29:13+07:00ICT "LDAP: no such user xxx" 5 250023:1 realm_ldap.cpp:3688
2019-07-26 15:29:08+07:00ICT "Session Monitor: RADIUS IP attribute missing, packet dropped." 0 32000A:96 radius_session_notification_monitor.cpp:582
Any help would be appreciated.
0
Related:
nFactor – LDAP in First Factor and WebAuth in Second Factor
Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.
This article describes the following scenario:
-
First factor is configured for LDAP Authentication
-
Second Factor is configured for Web Authentication
These steps are described in detail in the following sections. The first section briefly introduces the entities that are encountered in this article, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.
Entities used in nFactor
LoginSchema
Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. Put another way, LoginSchema is a logical representation of logon form in XML medium.
It can be added as below:
add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> -passwordExpression <Expression>
where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.
Authentication Policylabel
Authentication Policy label is a collection of authentication policies for a particular factor. It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.
Authentication policy labels constitute secondary/user-defined factors. With nFactor, there is no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the virtual server cascade.
When we bind an authentication policy to authentication virtual server, we specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.
It can be added as below:
add authentication policylabel <name> -loginSchema <loginSchemaName>
Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.
We can bind authentication policies to this label.
bind authentication policylabel <name> -policy WebAuth –priority 10 –nextfactor <nextFactorLabelName>
Sequence Diagram
nFactor Flow Presentation
The setup can also be created through nFactor Visualizer present in ADC version 13.0 and above.
Description
-
User accesses the web site (<NetScaler Load Balancer FQDN>WebAuthSite.html), a request is sent to the NetScaler for the website.
-
As the Load Balancer is configured with authentication, it redirects user to authentication virtual server for authentication.
-
NetScaler responds with HTTP 302 with Location /logon/logonpoint/tmindex.html.
-
Client requests for /logon/logonpoint/tmindex.html.
-
NetScaler evaluates the Login schema (means to generate different authentication forms. More about login schema in the following section) settings and responds back to the client with the Authentication form.
-
User enters the user name, password and clicks on the Log on button to authenticate.
-
NetScaler constructs LDAP request and sends the request to the LDAP server for verification. Depending on the results from the LDAP server the NetScaler logic will perform appropriate action.
-
If the LDAP authentication fails, user is sent an appropriate message that describes the reason along with original login form.
-
If the LDAP authentication succeeds, then the NetScaler will verify the Next Factor settings. For this use case second factor does not have schema (pass-through). Passthrough factor implies that NetScaler will not prompt user for credentials but continue with previously obtained credentials. In this case, those are the ones obtained from first factor. So, NetScaler will evaluate the second factor for authentication policies.
-
-
If the second factor authentication policy evaluates to true, NetScaler crafts the Web authentication request and sends the request to back end Web authentication server, and takes appropriate action depending upon the response from server.
-
If the authentication succeed then the NetScaler will examine if any more Factors are defined. As in this case we have only configured second Factor, hence NetScaler completes authentication.
-
If the authentication fails, then NetScaler will send authentication failure to the user along with original authentication page.
-
-
On successful authentication NetScaler sends HTTP 200K with Set-Cookie NSC_TMAS and NSC_TMAA to the client.
Login form that users see can be rendered by the following xml blob. Labels and other fields can be customized as highlighted. Following is the example used for this specific representation of logon form:
Note: You can download the XML file from this article’s attachment.
<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1" ><Status >success </Status><Result >more-info</Result><StateContext/><AuthenticationRequirements><PostBack> /nf/auth/doAuthentication.do</PostBack ><CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>Enter Login Name:</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either username as saamaccountname</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Please submit LDAP Credntials to continue Login ...</Text><Type>confirmation</Type></Label><Input /></Requirement><Requirement><Credential><ID>saveCredentials</ID><Type>savecredentials</Type></Credential><Label><Text>Remember my password</Text><Type>plain</Type></Label><Input><CheckBox><InitialValue>false</InitialValue></CheckBox></Input></Requirement><Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Log On</Button></Input></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>
All the customizable portions of the logon form are highlighted. Administrators can modify these values to suit their needs.
Configuration Through Visualizer:
1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
2. Click on the + sign to add the nFactor Flow
3. Add Factor, this will be the name of the nFactor Flow
4. Add the schema for the first Factor by clicking on the Add Schema.
5. Choose the Schema for First Factor, that is Single Auth.
6. By clicking on add policy Add Policy for LDAP for the first factor
For more information on creating LDAP Authentication see ,Configuring LDAP Authentication
7. By clicking on green + sign add the Second factor
8. Another Factor box will be created to add the schema and Web Auth Policy, this is the Second Factor.
9. Following steps 4 and 5 add LSCHEMA_INT for pass-through schema and Web Auth Policy as shown below:
For more information on WebAuth Policy see, Web Authentication Policies
10. Click on Done. This will automatically save the configuration.
11. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and the Create
NOTE : Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.
To unbind the nFactor Flow:
1. Select the nFactor Flow and Click on Show Bindings
2. Select the Authentication VServer and Click Unbind
Policies for this use case
Traffic Management:
add lb vserver LB-NFactor SSL 10.217.217.240 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost ION63.xmdfa.nsi-test.com -Authentication ON -authnVsName auth-NFactor
Authentication Virtual Server:
add authentication vserver auth-NFactor SSL 10.217.217.251 443 -AuthenticationDomain xmdfa.nsi-test.com
bind authentication vserver auth-NFactor -policy LDAP-loginSchema-pol -priority 1 -gotoPriorityExpression END
bind authentication vserver auth-NFactor -policy LDAPXMDFA-AdvPolicy -priority 2 -nextFactor WebAuth-Pol-Label -gotoPriorityExpression NEXT
LDAP Policy:
add authentication ldapAction XMADDFAIP -serverIP 10.217.217.5 -serverPort 636 -ldapBase “dc=xmdfa,dc=nsi-test,dc=com” -ldapBindDn administrator@xmdfa.nsi-test.com -ldapBindDnPassword e16dca9ac052375bb87fa4dd41e62f9fc85d96e52c3ebb5a7e7227ffd1424e46 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName cn -secType SSL -ssoNameAttribute sAMAccountName -passwdChange ENABLED -defaultAuthenticationGroup ch.etit.hedani.net_SSODomainSet -Attribute1 mail
add authentication Policy LDAP-XMDFA -rule true -action XMADDFAIP
Web Auth policy:
add authentication webAuthAction webAuthXMDFA -serverIP 10.217.217.5 -serverPort 80 -fullReqExpr q{“GET / HTTP/” + http.req.version.major + “.” + http.req.version.minor.sub(1) + “rnAccept:*/*rnhost:nsi-dc1-2008.nsi-test.comrn” + “Authorization:” + “”Basic “+ (HTTP.REQ.USER.NAME.append(“:”).APPEND(http.req.user.passwd).B64ENCODE)rnrn”} -scheme http -successRule “http.res.status.eq(200)”
add authentication webAuthPolicy WebAuthXMDA-pol1 -rule ns_true -action webAuthXMDFA
add authentication Policy WebAuth2-Advance -rule true -action webAuthXMDFA
add authentication policylabel WebAuthNoschema -loginSchema No-Schema-Passthrough
bind authentication policylabel WebAuth-Pol-Label -policyName WebAuth2-Advance -priority 2 -gotoPriorityExpression NEXT
The preceding configuration describes adding a Traffic Management virtual server for resource access, adding Authentication virtual server for securing Traffic Management virtual server, and relevant policies for this use-case. The portions highlighted in Yellow are to be replaced with appropriate authentication policies by the administrators. The GOTO Priority expression by default is NEXT, so that we fall down to the next policy if it fails.
Important ns.log messages
Jul 31 18:54:56 <local0.debug> 127.0.0.2 08/01/2015:01:54:56 GMT 0-PPE-2 : default SSLVPN Message 727 0 : "core 2: ns_get_username_password: loginschema gleaned is LDAP-Auth "Jul 31 18:54:56 <local0.debug> 127.0.0.2 08/01/2015:01:54:56 GMT 0-PPE-2 : default SSLVPN Message 728 0 : "aaad_authenticate_req: copying policylabel name auth-NFactor to aaa info, type 33 for auth "Jul 31 18:54:56 <local0.debug> 127.0.0.2 08/01/2015:01:54:56 GMT 0-PPE-2 : default AAATM Message 729 0 : "copying next factor WebAuth-Pol-Label in aaa info for administrator "Jul 31 18:54:56 <local0.debug> 127.0.0.2 08/01/2015:01:54:56 GMT 0-PPE-0 : default AAATM Message 716 0 : "mp creating session on 0, pck 0, state 8"Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 730 0 : SPCBId 667 - ClientIP 10.252.113.101 - ClientPort 56655 - VserverServiceIP 10.217.217.251 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session NewJul 31 18:55:56 <local0.info> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 731 0 : "LOGIN: CGI/LOGIN: Continuing auth for user administrator at factor WebAuth-Pol-Label with login schema WebAuth"Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 732 0 : "aaad_authenticate_req: copying policylabel name WebAuth-Pol-Label to aaa info, type 65 for auth "Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default AAATM Message 733 0 : "Authentication delegated to Packet engine for administrator, trying to find appropriate action with bitmask 1 "Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default AAATM Message 734 0 : "Authentication delegated to Packet engine for administrator, chosen action is webAuthXMDFA "Jul 31 18:55:56 <local0.info> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 735 0 : "WEBAUTH: AAAD delegated WebAuth to Packet Engine, beginning web authentication"Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 736 0 : "WEBAUTH: Primary webauth request being tried, action: webAuthXMDFA "Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 737 0 : "WEBAUTH: Successfully sent webauth request, GET / HTTP/1.0^M Accept:*/*^M host:nsi-dc1-2008.nsi-test.com^M Authorization:"Basic "+ (HTTP.REQ.USER.NAME.append(":").APPEND(http.req.user.passwd).B64ENCODE)^M ^M "Jul 31 18:55:56 <local0.info> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 738 0 : "WEBAUTH: Response from server 0x5d9d90a: response type 401 header len 246 contentlen 1293 payload HTTP/1.1 401 Unauthorized^M Content-Type: text/html^M Server: Microsoft-IIS/8.5^M WWW-Authenticate: Basic realm="nsi-dc1-2008.nsi-test.com"^M X-Powered-By: ASP.NET^M Date: Sat, 01 Aug 2015 09:55:55 GMT^M Connection: keep-alive^M Content-Length: 1293^M ^M <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">^M <html xmlns="http://www.w3.org/1999/xhtml">^M <head>^M <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>^M <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>^M <style type="text/css">^M <!--^M body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}^M fieldset{padding:0 15px 10px 15px;} ^M h1{font-size:2.4em;margin:0;color:#FFF;}^M h2{font-size:1.7em;margin:0;color:#CC0000;} ^M h3{font-siJul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 739 0 : "WEBAUTH: Evaluating success rule for primary webauth action webAuthXMDFA "Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 741 0 : "WEBAUTH: Primary webauth request being tried, action: webAuthXMDFA "
Related:
Add multiple Basic Authentication LDAP policies/servers to Gateway or LB VIP
The best way to add additional LDAP servers for authentication is to add another LDAP Authentication Policy which is associated with another LDAP server and then bind that new policy to your Gateway or LB VIP.
This article only works with Basic Authentication with LDAP but if you have an Authentication Profile on Gateway the process below will not work.
For Basic Authentication Policies with LDAP:
Log into the Netscaler GUI.
Click on “Citrix Gateway” (or Traffic Management -> Load Balancing) -> Virtual Server -> select your virtual server where you wish to add more LDAP servers.
Under “Basic Authentication” click on the LDAP Policy (If no policy exists you will create one here). Select the policy and click “Edit Server”. Make sure to copy the settings so that they are the same on the second LDAP server/policy you are about to create. Click Close.
For the existing Policy, write down the Priority value. You will want this to be the same for the new LDAP servers unless you specifically want a lower priority.
Select “Add Binding”. Change the Priority to match the one you just wrote down. Then click “Add” next to “Select Policy”
Create a Name for the policy. Make the Expression in the lower box: NS_TRUE
Click on “Add” next to Server selection box. Add all the server details for the second LDAP server. They should all be the same except for the IP address of the new server. Click on “Create”.
Click “Create” on the LDAP Policy page to create the policy with the new server.
Click on “Bind” to bind the policy with the set priority.
Now you should see two LDAP policies with the same priority and different policy names.
Next to Select Policy press the “Add” button and on the next screen click “Add’ to create a new LDAP policy.
PLEASE NOTE: These LDAP policies will NOT Round Robin. The first LDAP server will always be used unless it cannot authenticate, it goes down, or is otherwise unavailable. Only then will the second LDAP server be used.
Related:
ProxySG | LDAP authentication multiple domain in 1 forest
I need a solution
Dear All,
Can I ask if ProxySG (VM) can do LDAP authentication in a multiple domain in 1 forest?
For example, customers have domain A and domain B, which are in the same forest, and there is a case sometimes where there is a user at the branch A to temporarily move to working at branch B.
So still want Authentication and receiving the policy that box proxy on the branch B, like the branch A
(ProxySG Appliances of customers are located in both branches)
Please recommend solution for this case.
If you would like more information please let me know.
Thank you so much for your help.
Best Regards,
Chakuttha R.
0
Related:
“Failure – Probe time out” When Configuring Citrix ADC LDAP Monitor for Service Group
It is a best practice to reduce the returned values to a small number. For Active Directory LDAP systems the filter can be set to cn=Builtin that returns minimal results.
To make this change using ADCGUI, go to Traffic Management > Load balancing > Monitors > edit the LDAP Monitor and add CN=Builtin as filter.
To make this change using ADC CLI:
add lb monitor MonitorName -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password password -encrypted -encryptmethod ENCMTHD_3 -LRTM ENABLED -baseDN "DC=dom,DC=com" -bindDN "CN=UserName,OU=CustomOU,DC=com,DC=com" -filter CN=Builtin