[389-users] LDAP allows null bases
Ludwig Krispenz
lkrispen at redhat.com
Wed Mar 11 13:49:26 UTC 2015
Hi,
in my opinion this is not a security issue, but a feature compliant to
the ldap rfcs. A server should expose a minimal set of information about
itself, eg supported controls, saslmechanisms, namingcontexts even to
anonymous users - and many applications rely on this.
If you really want to turn this off, you need to modify the aci for the
"dn:" entry
Ludwig
On 03/11/2015 11:23 AM, Kay Cee wrote:
> All clients connecting to our 389-ds server showed up this
> vulnerability on the scan. How do I fix this on my 389-ds server?
>
> LDAP allows null bases
>
> Risk:High
> Application:ldap
> Port:389
> Protocol:tcp
> ScriptID:10722
> Summary:
> It is possible to disclose LDAP information.
> Description :
> Improperly configured LDAP servers will allow the directory BASE to be
> set to NULL. This allows information to be culled without any prior
> knowledge of the directory structure. Coupled with a NULL BIND, an
> anonymous user can query your LDAP server using a tool such as
> 'LdapMiner'
>
> Solution:
> Disable NULL BASE queries on your LDAP server
> CVSS Base Score : 5.0
> Family name: Remote file access
> Category: infos
> Copyright: Copyright (C) 2000 John Lampe....j_lampe at bellsouth.net
> <mailto:Lampe....j_lampe at bellsouth.net>
> Summary: Check for LDAP null base
> Version: $Revision: 128 $
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20150311/639267a6/attachment.html>
More information about the 389-users
mailing list