[389-users] LDAP allows null bases
Rob Crittenden
rcritten at redhat.com
Wed Mar 11 14:04:50 UTC 2015
Ludwig Krispenz wrote:
> Hi,
>
> in my opinion this is not a security issue, but a feature compliant to
> the ldap rfcs. A server should expose a minimal set of information about
> itself, eg supported controls, saslmechanisms, namingcontexts even to
> anonymous users - and many applications rely on this.
> If you really want to turn this off, you need to modify the aci for the
> "dn:" entry
He might also want to look at nsslapd-allow-anonymous-access to disable
all anonymous access to the server. I agree that being able to read the
rootDSE probably isn't a big deal.
rob
>
> Ludwig
>
> On 03/11/2015 11:23 AM, Kay Cee wrote:
>> All clients connecting to our 389-ds server showed up this
>> vulnerability on the scan. How do I fix this on my 389-ds server?
>>
>> LDAP allows null bases
>>
>> Risk:High
>> Application:ldap
>> Port:389
>> Protocol:tcp
>> ScriptID:10722
>> Summary:
>> It is possible to disclose LDAP information.
>> Description :
>> Improperly configured LDAP servers will allow the directory BASE to be
>> set to NULL. This allows information to be culled without any prior
>> knowledge of the directory structure. Coupled with a NULL BIND, an
>> anonymous user can query your LDAP server using a tool such as
>> 'LdapMiner'
>>
>> Solution:
>> Disable NULL BASE queries on your LDAP server
>> CVSS Base Score : 5.0
>> Family name: Remote file access
>> Category: infos
>> Copyright: Copyright (C) 2000 John Lampe....j_lampe at bellsouth.net
>> <mailto:Lampe....j_lampe at bellsouth.net>
>> Summary: Check for LDAP null base
>> Version: $Revision: 128 $
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
More information about the 389-users
mailing list