Hey everyone! I have been using freeipa since 2 months ago. Now i asked for an internal pentest and the pentesters found this: Without authentication they can obtain information about our freeipa (that uses ldap as backend as you know).
ldapsearch -x -b "dc=example,dc=com" -H ldap://10.0.0.9:389 "(objectClass=*)"
There is any way to protect it? How can I achieve that?
Update: I followed this tutorial and it seems to be working now https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
[root@-freeipa /]# ldapmodify -x -D "cn=Directory Manager" -W -H ldap:// 10.0.0.9:389 Enter LDAP Password: dn: cn=config changetype: modify replace: nsslapd-allow-anonymous-access nsslapd-allow-anonymous-access: rootdse modifying entry "cn=config"
[root@-freeipa /]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting ipa-otpd Service ipa: INFO: The ipactl command was successful
[root@-freeipa /]# ldapsearch -x -b "dc=example,dc=com" -H ldap:// 10.0.0.9:389 "(objectClass=*)"
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectClass=*) # requesting: ALL #
# search result search: 2 result: 48 Inappropriate authentication text: Anonymous access is not allowed.
On Wed, Sep 27, 2023 at 1:30 PM Duarte Petiz duarte.petiz@jscrambler.com wrote:
Hey everyone! I have been using freeipa since 2 months ago. Now i asked for an internal pentest and the pentesters found this: Without authentication they can obtain information about our freeipa (that uses ldap as backend as you know).
ldapsearch -x -b "dc=example,dc=com" -H ldap://10.0.0.9:389 "(objectClass=*)"
There is any way to protect it? How can I achieve that?
-- *Kind Regards*
*Duarte Petiz* *DevOps Team Lead *| jscrambler.com
freeipa-users@lists.fedorahosted.org
-
Duarte Petiz