T 3.52 Errors in the configuration of intranet client access to Novell eDirectory

When using the eDirectory directory service on the intranet of an organisation, corresponding clients are required for distributed user access to the system. Here, there is a separate client software for each of the different operating systems:

• Novell client for Windows operating system,
• client library for Linux,
• client library for Sun Solaris.

Client access to the eDirectory directory service is performed using the proprietary NDAP protocol (Novell Directory Access Protocol). On the one hand, this protocol is based on the Novell NCP protocol that may be operated using IP or IPX.

When using the Novell client for Windows to gain access to the eDirectory tree (or an eDirectory object), the user name and the password must be transmitted to the client. Then, the client browses the eDirectory for the corresponding object and transmits the private key of this object that is encrypted with the user password. On the client side, the user password is used in order to decrypt the private key and this is used to calculate a so-called credential and a signature. The private key is then deleted from the client's memory and only the credential and the signature are maintained. These can then be used for additional "background synchronisations" with other objects or services. For this, the user must no longer interact and therefore uses a single sign-on.

With the help of a so-called zero knowledge method, the credential and the signature are used to generate a proof (proof) that is transmitted to the destination system. The destination system can use this proof to verify the client's identity. The advantage of this method is that the signature is not expressly transmitted using the network, which results in less potential points of attack.

Nevertheless, certain attack scenarios, so-called man-in-the-middle attacks, have become known, which are rather of a theoretical nature, though, since significant technical effort is required to perform such an attack.

Regardless of this, serious security problems may occur, if

• the authentication mechanisms for the client access are inadequate,
• unauthorised access to the eDirectory directory and its objects is possible, or
• administrator privileges for the directory service can be misused or obtained without authorisation.