What the heck is really going on in these Lion LDAP vulnerability reports?
Solution 1:
Don't be alarmed. This is not a huge threat to enterprise networks which is suggested by this article in The Register.
Apple Lion is new, and thus this bug is getting a disproportionate amount of attention when compared to similar flaws on other operating systems. Here are some calmer descriptions of this same problem:
- "Mac OS X Lion fails to check passwords when authenticating via LDAP".
- Paul Ducklin from nakedsecurity.sophos.com wrote a more reasoned piece about this problem, and the hype behind it.
This is a local exploit on an Apple Lion system which affects that system only. Apple has yet to provide any details. Here's how I understand the problem: if someone logs into a Apple Lion system once successfully, then anyone else can log into the same system with any password. This is a serious problem for that system, but the damage is mostly limited to that particular system. Unfortunately that system is now less-trusted and may be on on your network.
This problem does NOT allow an a hacker to own your AD/LDAP servers, by and of itself. Your AD/LDAP servers will still reject any incorrect LDAP authorization request from any LDAP client. To bypass this would require a major flaw on the LDAP server or the LDAP protocol or a misconfigured server, which is a completely different issue then the problem described above.
Keep in mind that this problem only affects Apple Lion systems which use LDAP for authentication. In most organizations, this will be a very small number of clients. An Apple Lion server might be more vulnerable, but Apple needs to elaborate on the problem and they have not been very forthcoming about this issue, yet. Can you imagine RedHat holding back information on a publicly known vulnerability for such a long time?
Solution 2:
The problem with the vulnerability is pretty well explained in the article linked by slashdot.
The true problem is that once someone gets onto any Lion machine on the network that is using LDAP as it's Authorization method then, you can read the contents of the LDAP directory. Which would give you access to all accounts on the network that use central authentication. Additionally it gives you access to anything secured by the LDAP Authorization system. Basically, you now own everything on that network.
As a side note, i'm curious if it is a bug in the LDAP authorization or the underlying (probably kerboros) authentication system.
Also, if you are not using LDAP as your authorization source (OpenLDAP, Active Directory, NDS, etc) then you are not effected by this.
To answer you specific question:
Can anyone explain exactaly what is being secured by OpenLDAP
The answer is "It depends ..." on what your IT infrastructure has setup to use LDAP for authorization.