Connect to OpenLDAP server with Perl

This little code example in Perl shows how to connect to an OpenLDAP server using the ldaps protocol. It tries several servers and uses the first one it can connect to.

#!/usr/bin/perl
use strict;

use Net::LDAP;
use Net::LDAP::Extension::WhoAmI;
# LDAPS is basically the same as the LDAP-Module using ldaps:// URIs
#use Net::LDAPS;

my $userName = 'USERNAME';
my $passWord = 'PASSWORD';

my @Servers = ("server1", "server2", "server3");
my $ldap = undef;

# Code = 34, Name: LDAP_INVALID_DN_SYNTAX (dn is not a full path)
# Code = 48, Name: LDAP_INAPPROPRIATE_AUTH (empty dn or password)
# Code = 49, Name: LDAP_INVALID_CREDENTIALS (wrong dn or password)
sub lErr {
  my $mesg = shift;
  printf STDERR "Error: %sn", $mesg->error();
  printf STDERR "Error Code: %sn", $mesg->code();
  printf STDERR "Error Name: %sn", $mesg->error_name();
  printf STDERR "Error Text: %s", $mesg->error_text();
  printf STDERR "Error Description: %sn", $mesg->error_desc();
  printf STDERR "Server Error: %sn", $mesg->server_error();
}

foreach my $server (@Servers) {
  $ldap = Net::LDAP->new("ldaps://$server:636",
  verify => 'require',
  inet4 => 1,
  timeout => 3,
  cafile => '/etc/ssl/certs/ldap_slapd_cacert.pem' );

  if($ldap) {
    print "Ok connecting to $servern";
    last;
  }
  else {
    print "Error connecting to $server: $@n";
  }
}

if($ldap) {
  print "Now connected to " . $ldap->host() . "n";
}
else {
  exit -1;
}
my $mesg = $ldap->bind("uid=$userName,ou=People,dc=example,dc=com",
  password => "$passWord");
if($mesg->is_error()) {
  exit $mesg->code;
}

# Using $ldap->bind again after $ldap->unbind doesn't work
$ldap->unbind;

There is also an option to connect to an array of servers with only one function call. It basically does the same thing: Looping through a list of servers and use the first successful connection. But you have to be careful, there is a known bug if “verify” is set to “optional” (s. https://rt.cpan.org/Public/Bug/Display.html?id=118477).

Certificate Authorities (CA) in Google Chrome / Chromium and Firefox on Linux

Firefox ships with its own set of root CAs (“Builtin Object Token” as the Security Device in advanced preference settings). Here is the list of all root CAs included in Firefox along with their fingerprints:
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport

Builtin root CAs are hardcoded in /usr/lib/firefox/libnssckbi.so . You can see a list of all CAs in Firefox preferences (advanced settings).

CAs marked as “Software Security Device” are usually intermediate certificates that are downloaded from websites and stored locally. These CAs that are not builtin are either stored on a PKCS#11 compatible smartcard attached to your PC/laptop or saved to your home directory:
certutil -d $HOME/.mozilla/firefox/xxx.default -L

Chromium / Google Chrome does not ship with its own CA list but uses the CAs from the underlying operating system:
https://www.chromium.org/Home/chromium-security/root-ca-policy

In Ubuntu 16.04 these CAs are hardcoded in /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so which is part of the package “libnss3”. You should therefore update this package as soon as there is an update available to keep your builtin CA list up-to-date.

CAs that are not builtin and that you installed manually are stored in your home directory:
certutil -d sql:$HOME/.pki/nssdb -L

Important things to note:

• The security of SSL encrypted websites (https://…) depends on the root CA which is used to sign the website certificate. These CAs are stored locally on your device in different locations based on the browser you are using.
• There are 2 kinds of CAs:
  1. Builtin CAs that ship with your browser or linux installation. They are stored in shared object files. There is probably no easy way to edit this list unless you change the source files and recompile the package. Nevertheless in both browsers you can remove all trust from a builtin certificate which is basically the same as deleting it.
  2. Manually added CAs are stored in your home directory. You can easily edit that list within the settings of the browser or on the command line.
• Both Firefox and Chromium / Google Chrome use NSS certificate databases to store manually added CAs that are not builtin. But they use different directories. Maybe you could use symbolic links to point both directories to the same database. That way both browsers would be using the same manual CA list.Currently Firefox uses by default the legacy dbm database version (cert8.db, key3.db) and Chromium / Google Chrome uses by default the new SQLite database version (cert9.db, key4.db). There seems to be an environment variable NSS_DEFAULT_DB_TYPE that makes Firefox use the new SQLite database version as well (s. https://wiki.mozilla.org/NSS_Shared_DB_Howto).
• Neither Firefox nor Chromium / Google Chrome are using CAs from the package “ca-certificates“.

How to download Twitter videos (animated GIFs)

There are 2 types of Twitter videos: animated GIFs and real videos. This post is about animated GIFs. They have the text “GIF” printed on them when they are not playing.

To download animated GIFs there doesn’t seem to be an easy way in Google Chrome unless you use an extension.

In Firefox:

• open the tweet
• right click on the video
• choose “This Frame” -> “Page Info”
• Under “Media” choose the mp4-file and click “Save As…”

 

Password encryption in OpenLDAP

Passwords in OpenLDAP are SSHA encrypted by default (Salted SHA1).

Changing it to SHA512 (salted with 16 Bytes):

olcPasswordHash: {CRYPT},{SSHA}
olcPasswordCryptSaltFormat: "$6$%.16s"

Or if you want to increase the number of rounds:

olcPasswordHash: {CRYPT},{SSHA}
olcPasswordCryptSaltFormat: "$6$rounds=2000000$%.16s"

This will still accept already existing passwords that are SSHA encrypted. New or changed passwords will be SHA512 encrypted. The max. number of rounds is 9 999 999. This increases computational time to create a password hash in order to prevent brute force attacks.

For this to work, the GNU C library has to support SHA512:
– /etc/login.defs: ENCRYPT_METHOD SHA512
– man pam_unix (should include sha512)

Also OpenLDAP has to be compiled with crypt support (–enable-crypt).

SHA512 passwords for LDAP can be generated with slappasswd:

slappasswd -c '$6$%.16s'

Important things to note:

• OpenLDAP provides its own native SHA-2 password module supporting SHA512, but that one lacks support for modifying rounds.
• OpenLDAP also provides a module for the key derivation function PBKDF2. Currently there are no reliable sources on the internet which suggest that PBKDF2 is more secure than salted SHA512 with rounds.
• The next step up would be using key derivation function scrypt or Argon2 because they impose much higher requirements on memory.