On 03/11/2015 03:04 PM, Rob Crittenden wrote:
Ludwig Krispenz wrote:
> in my opinion this is not a security issue, but a feature compliant to
> the ldap rfcs. A server should expose a minimal set of information about
> itself, eg supported controls, saslmechanisms, namingcontexts even to
> anonymous users - and many applications rely on this.
> If you really want to turn this off, you need to modify the aci for the
> "dn:" entry
He might also want to look at nsslapd-allow-anonymous-access to disable
all anonymous access to the server. I agree that being able to read the
rootDSE probably isn't a big deal.
In RFC 4513 it explicitely states:
LDAP servers SHOULD allow all clients --
even those with an anonymous authorization -- to retrieve the
'supportedSASLMechanisms' attribute of the root DSE both before and
after the SASL authentication exchange. The purpose of the latter is
to allow the client to detect possible downgrade attacks (see Section
6.4 and [RFC4422], Section 6.1.2).
> On 03/11/2015 11:23 AM, Kay Cee wrote:
>> All clients connecting to our 389-ds server showed up this
>> vulnerability on the scan. How do I fix this on my 389-ds server?
>> LDAP allows null bases
>> It is possible to disclose LDAP information.
>> Description :
>> Improperly configured LDAP servers will allow the directory BASE to be
>> set to NULL. This allows information to be culled without any prior
>> knowledge of the directory structure. Coupled with a NULL BIND, an
>> anonymous user can query your LDAP server using a tool such as
>> Disable NULL BASE queries on your LDAP server
>> CVSS Base Score : 5.0
>> Family name: Remote file access
>> Category: infos
>> Copyright: Copyright (C) 2000 John Lampe....j_lampe(a)bellsouth.net
>> Summary: Check for LDAP null base
>> Version: $Revision: 128 $
>> 389 users mailing list
> 389 users mailing list
389 users mailing list