Update Information

SurgeLDAP has been sold to Alpha Centauri Software Ltd, they have improved and rebranded SurgeLDAP as SIDVault (Simple Integration Database Vault). Alpha Centauri Software Ltd develops and distributes advanced database and accounting untility software solutions that meet the needs of high demand Internet and Intranet providers for reliable, high performance software that is easy to administer. For more information please check out their site at:

www.alphacentauri.co.nz

1.0l

• Fixed: SurgeLDAP Crash if you disable replicate via web interface
• Fixed: Outlook 2003 Address book searching method.
  
  
• Updated: ./surgeldap -schema
  To cycle though all the bins and verify all records and fields.
  It also creates a file called 'schema.log' of the results it gets.
  
  
• Added: The ability to such the schemas and bins files from any setup replicate server.

1.0k

• Fixed: Message ID being larger than 127
• Fixed: CRC checking for replicators/Backup servers NOT to account for the RootDSE
• Fixed: The RootDSE from being mirrored or backup in ldif files.
• Fixed: SurgeLDAP rotating log linux freeze issue.
• Fixed: On linux machines taking up 99% of CPU usage.
• Fixed: Mirroring issue between windows and linux machines.
  
• Updated: Mirror to now verify/check CRC's on schema/field files between the servers as they MUST match for the mirror to correctly work. If they do not match it will disable the mirroring completely.
• Updated: Mirror setup to be easier via a web interface

1.0j

• Fixed: dn=dc=test.com,dc=example,dc=com
  being converted to:
  dn=dc=test\.com,dc=example,dc=com
  which is an invalid 'dn'
• Added: Upgrading now causes an database upgrade.
• Updated: user search page has been updated to do the search nicer.
• Updated: For searchs from 'Thunderbird' mail client to be accepted.
• Updated: Schema checking so that if the same field were defined but with different security ratings (ie HIDDENxx) it will default to the highest security but still accept the field.
• Added: Added new schema files:
  monzilla.dat
  inetmail.dat
  surgeldap.dat
• Added: The following Exteneded LDAP Protocols:
  1.2.840.113556.1.4.473 (LDAP Server Sort Result extesion)
  2.16.840.1.113730.3.4.9 (LDAP Extensions for Scrolling View Browsing of Search Results)
  The above are needed to work with OutLook 2003 LDAP address book.
  
  
• Security Fixes. (Denial of Service attacks)

1.0i

• Updated: import can failed if using 'utf8'
• Updated: netmeeting now can use: -map "||addr||,dc=example,dc=com"
  Which will ask the ldap server to verify it exists before continuing
  LDAPEXISTS: cn=lynden@netwin.co.nz,dc=example,dc=com
• Added: 'dc=RootDSE' entry automatically.
• Added INI Setting: default_dn - This is the default DN that is used when display
  'defaultNamingContext' which is part of the 'dc=RootDSE'.
• Added: 3 new schema files:
  rootdse.dat
  ms-extension.dat
  samba.dat

  Default installs now include these schemas:
  # MS/Outlook compatability
  #include open/ms-extension.dat

  # RootDSE
  #include open/rootdse.da

• Added: User.dat file can now be setup to allow 'dn' authents to be setup with basedn searches
  ie: *,dc=netwin,dc=co,dc=nz:*:dc=netwin,dc=co,dc=nz:SEARCH

1.0h

• Fixed: Security issue brought up by:
  http://www.securitytracker.com/alerts/2004/May/1010068.html
  http://www.securityfocus.com/bid/10294

• Added: Replicate CRC database checking. Generates log files in teh standard log folder.
  
• Added: admin_email - This is the SMTP server and email address of the admin.
  admin_email smtpserver:25 admin@domain.com
  This will cause variour emails to be sent to the admin on various conditions:

  1. The server crashed.
  2. When the LDAP Server is started.
  3. A Backup/Restore Command.
  4. Replicate Database CRC checks
  

• New INI setting: replicate_crc_check - Defaults to 3600 seconds this is how often it
  will checks CRC on the replicates.

1.0g

• Fixed: Bug when base_dn was only 1 level 'dc=com'
• Fixed: ILS - Netmeeting - Timeout Issues

• Updated: LDIF import feature to ignore case. Required when importing
  IPlanet Exported LDIF's
• Updated: To decode utf-8 enoded values on .ldif files.

• Added: The ability to have a LDIF generated on the fly of all database modifications.
  NEW ini setting: backup_ldif_file c:\surgeldap2\backup\
• Added: Also the ability to backup the entire database as it ever so often.
  This is implement in the same layout as linux cron jobs.
  NEW ini setting: backup_cron 0 12 * * *
  This will backup every day at 12:00pm: backup_cron 0 12 * * *
  Backup every sunday at 00:00: backup_cron 0 0 * * sun

1.0f

• Fixed: Key Registration Issue.
• Added: Extra code to ensure database stability

1.0e

This version Fixes the following reported security issues:

http://www.secunia.com/advisories/9483/
1) It is possible to cause the server to crash by requesting a long URL.
2) Usernames and passwords are stored in clear text in "surgeldap\user.dat".
3) The installation path is revealed if a non-existant file is requested.
4) The "cmd" parameter isn't properly verified in the "user.cgi" script, which allows trivial Cross Site Scripting attacks.

http://www.securiteam.com/windowsntfocus/5RP0I0UAUI.html
1) Disclosing the full path of the SurgeLDAP Server installation directory
2) CSS (Cross Site Scripting)
3) Denial of service
4) Clear text password storage

http://xforce.iss.net/xforce/xfdb/12899
http://xforce.iss.net/xforce/xfdb/12901
http://xforce.iss.net/xforce/xfdb/12902
http://xforce.iss.net/xforce/xfdb/12904
SurgeLDAP nonexistent file path disclosure
SurgeLDAP CGI scripts cross-site scripting
SurgeLDAP HTTP GET buffer overflow
SurgeLDAP users.dat file plaintext password

http://www.securityfocus.com/bid/8406
http://www.securityfocus.com/bid/8407
http://www.securityfocus.com/bid/8408
http://www.securityfocus.com/bid/8409
SurgeLDAP Path Disclosure Vulnerability
SurgeLDAP User.CGI Cross-Site Scripting Vulnerability
SurgeLDAP HTTP GET Denial Of Service Vulnerability
SurgeLDAP Insecure Password Storage Vulnerability

• Fixed: Server crashing for large URL request
• Updated: Any invalid URL's default to index.htm
• Update: Stop the full path being display for a request for an invalid html page.
• Update: Invalid 'cmd=..' now default to the top page of the CGI.
               admin.cgi -- Login page.
               user.cgi -- Login as guest
  
  
• Added: User.dat passwords are now encoded using {ssha}. You can still edit the user.dat and enter plain text passwords but SurgeLDAP will encode then next time it starts.
• Added: Modules can be setup to only allow stated IP's
  Layout: module type listern_IP listern_port timeout max_cur_con [mod_id [allowed_ips]]
• Added: New Schema data:
               IPObject (class)
               entryIP (Field)
  If an object is build from 'IPObject' the IP address that made the connection will be saved as part of the object.
• Added: Extra Module security to help against password checks and denial of service attacks.
  1) Limit Concurrent Connections per ip.
  2) Setting to 'ignore' requests if they excceed a certain rate per ip per time.
  3) Password Guessing is limited (limit guesses per ip per time)

  max_ip_connection mod_id number
  max_ip_rate mod_id number timeframe blocktime
  max_pass_guess mod_id number timeframe blocktime

1.0d

• Fixed: NetMeeting issues on Solaris system
  
• Update: Database Storage Layout.
• Update Installer: The installer will automatically update database versions.
• Update: Updated NetMeeting schema to support 'Portrait'
  As well as the netmeeting convertion program.
• Added: Paswords that are: {crypt}, {SSHA}, {SHA} encoded.
• Added: Backup and Replocating of SurgeLDAP to another SurgeLDAP server. (see manual)

1.0b

• Fixed: When using IE on the user interface when you add or deleted a item to the database the menu list ot the left was not updating automatically.
  This issue did not occur in Netscape.
• Fixed: Sucking from other LDAP server which limited the amount of data it provided, to atleast add the data that it did provide. Sucking now also optionally does the entire tree from the base location, or just 1 level. Also attempts to add the base object.

• Added: SurgeLDAP has been updated (server and admin templates) to allow 'LDIF' files to be user to enter data to the database.admin/suck.tpl
• Added: Added new command prompt to import ldiff files.
  ./surgeldap -import test.ldiff
• Added: Dynamic Records. Records that are defined using the objectClass: dynamicObject are automaticaly given a time out depending on the following ini setting:
  
  dynamic_subtrees "<wilddn>" <basetime>

  If the dn does not match then the object is NOT setup as a dynamic record.
  Once the time has run out then the record is then removed from the data base.

  The time is reset in the following ways:
  1. The record is modified.
  2. When the atttribute: 'entryTtl' is requested.

• Added: Shell Command. SurgeLDAP now supports shell commands where selected commands on selected domains cause an external program to be run with the command which can modify the command, It can either return back the modified command or tell SurgeLDAP that it was successfull. The ini setting for this is:

  shell id "wild_dn" "cmd=file_to_run" flags

  'cmd' can be:	search, add, modify, delete, modrn, check
  'flags' can be:	NONE - No extra action LDAP - The 'file_to_run' is the LDAP address to use. PROCESS - This will tell SurgeLDAP not only to process the external program (or LDAP server) but also preform the can command on SurgeLDAP.

  ie. shell main "*objectClass=RTPerson" "search=/usr/local/surgeldap/netmeeting -auth netmeeting mysecret" NONE

• Added: Microsoft NetMeeting Client - Support.
  With the use of the 2 new features: 'Dynamic Records' and 'Shell Command' and the new external file called: netmeeting
  
  SurgeLDAP now supports NetMeeting invalid LDAP requests.
  See SurgeLDAP documention on how to set this up

1.0a

• SurgeLDAP - Your Solution to Database Storage -
  
  SurgeLDAP is LDAP system which enables you to store large amounts of data accessable from many appications.