[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Crafted Search Request Access Allowed



Am Mon, 27 Oct 2014 15:30:49 -0300
schrieb Net Warrior <netwarrior863@gmail.com>:

> Thanks for the answer, but, from the query I shown, you can see that
> the DIT is displayed "namingContexts: dc=domain,dc=com" and knowking
> that, I can make a ldapserch -x pointing tho the server and the base
> search  for example and list all the domain users, isn't it a
> security concern? I tested it and it works, how can I create an
> access list to prevent this, disable the simple auth or disable those
> anonymous queries ?
> 
> Thanks for your time and support.

If you allow an anonymous read access on a subtree, that in fact might
be serious security issue, depending on the data. 
You, or your management, should define a policy, WHO is allowed to do
WHAT on the directories data. Based on this written and agreed policy,
access rules may be defined. This rules might be simple or paranoid,
but that is the art of directory management.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E