[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Null Search Base
- To: openldap-technical@openldap.org
- Subject: Null Search Base
- From: ldap@mm.st
- Date: Wed, 09 Mar 2011 16:34:16 -0700
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=message-id:from:to:mime-version:content-transfer-encoding:content-type:subject:date; s=smtpout; bh=xvcO9ijitc/SGzo+2sR43ghd2aU=; b=qhDC6HQ6hdFcK7/SXsr7fFg2gicFIbxhy8e/fYU+NeD8a/eiAaPf1Gsh4Y9NyOkqWGBT6o7kAyMGwb6547FJFHYaRAHupejxlxBfcmjRTjdwumLYYJeraDNluZnn/A6tvK0OQ3qLu+T+iu7qooLnq2JSsedfQiTxM477svUt7Vg=
A security scanner was run against our ldap severs and came back with a
warning stating "The remote LDAP server supports search requests with a
null, or empty, base object. This allows information to be retrieved
without any prior knowledge of the directory structure. Coupled with a
NULL BIND, an anonymous user may be able to query your LDAP server using
a tool . . ."
I'm not overly concerned with the warning, but I was a little confused
what the scanner was reffering to. I used the following search in an
effort to somewhat duplicate what the scanner was sending and what
information is retrieved and was hoping someone could commet if I was
ontrack. I assume the warning is due to the namingContext attribute and
if desired an acl could be setup to stop the retrival on the
information. This is on a RH5 openlap 2.3 server.
ldapsearch -x -s base -b '' -H ldap://my.lapdap.server
"(objectClass=*)" "*" +
I got back this:
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: o=mydomain
supportedControl: 1.3.6. .....
. . . .
supportedControl: 1.3.6. .....
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema