[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Disable NULL BASE queries



Hi,

Shawn McKinney <smmtech@sbcglobal.net> writes:

> Greetings All,
>
>  
>
> I am running a standalone, non-replicated instance of OpenLDAP v 2.1.22 on a Sun E250
> server with Solaris 2.8 installed.  Currently the box is being used for testing purposes. 
> My problem is as follows:
>
>  
>
> We are running the slapd instance in our coporate extranet.  Subsequent security scans by
> an independent security contractor has detected what is described as a security hole in our
> LDAP server.  The exact verbage of their report is:
>
> Improperly configured LDAP servers will allow the directory BASE
>
> to be set to NULL. This allows information to be
>
> culled without any prior knowledge of the directory
>
> structure. Coupled with a NULL BIND, an anonymous
>
> user can query your LDAP server using a tool such
>
> as 'LdapMiner'
>
> Solution: Disable NULL BASE queries on your LDAP server
>
> Risk factor : Medium
>
> I have disabled NULL binds but can't find any documentation outlining how to "Disable NULL
> BASE queries" on this server.  Anyone have any ideas?  We want to be able to use OpenLDAP
> but if I can't figure this problem out we may need to use another product.
>
>  
>
> Thanks,
>
>  
>
> Shawn

That requirement is violating RFC-2251,3.4
You could set 
access to dn.base="" by users read
access to dn.base="cn=Subschema" by users read
but that is rubbish, as you have to allow anonymous read of your
rootDSE, otherwise no application will get knowledge of your
operational attributes.
Only rootdn can write so you have to protect rootpw properly and only
allow strong binds for rootdn.

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de