<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
in my opinion this is not a security issue, but a feature compliant
to the ldap rfcs. A server should expose a minimal set of
information about itself, eg supported controls, saslmechanisms,
namingcontexts even to anonymous users - and many applications rely
on this.<br>
If you really want to turn this off, you need to modify the aci for
the "dn:" entry<br>
<br>
Ludwig<br>
<br>
<div class="moz-cite-prefix">On 03/11/2015 11:23 AM, Kay Cee wrote:<br>
</div>
<blockquote
cite="mid:CAMMfn4GX0fRLvviDqQGHDKwTwdUwvzeaiqyu+uf3V-LYYhpHmQ@mail.gmail.com"
type="cite">
<div dir="ltr">All clients connecting to our 389-ds server showed
up this vulnerability on the scan. How do I fix this on my
389-ds server?
<div><br>
</div>
<div>LDAP allows null bases<br>
</div>
<div><br>
</div>
<div>
<div>Risk:High</div>
<div>Application:ldap</div>
<div>Port:389</div>
<div>Protocol:tcp</div>
<div>ScriptID:10722</div>
<div>Summary:</div>
<div>It is possible to disclose LDAP information.</div>
<div>Description :</div>
<div>Improperly configured LDAP servers will allow the
directory BASE to be set to NULL. This allows information to
be culled without any prior knowledge of the directory
structure. Coupled with a NULL BIND, an anonymous user can
query your LDAP server using a tool such as 'LdapMiner' </div>
<div><br>
</div>
<div>Solution:</div>
<div>Disable NULL BASE queries on your LDAP server</div>
<div>CVSS Base Score : 5.0</div>
<div>Family name: Remote file access</div>
<div>Category: infos</div>
<div>Copyright: Copyright (C) 2000 John <a
moz-do-not-send="true"
href="mailto:Lampe....j_lampe@bellsouth.net">Lampe....j_lampe@bellsouth.net</a></div>
<div>Summary: Check for LDAP null base</div>
<div>Version: $Revision: 128 $</div>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>