in my opinion this is not a security issue, but a feature compliant to the ldap rfcs. A server should expose a minimal set of information about itself, eg supported controls, saslmechanisms, namingcontexts even to anonymous users - and many applications rely on this.
If you really want to turn this off, you need to modify the aci for the "dn:" entry
Ludwig
On 03/11/2015 11:23 AM, Kay Cee wrote:
All clients connecting to our 389-ds server showed up this vulnerability on the scan. How do I fix this on my 389-ds server?
LDAP allows null bases
Risk:HighApplication:ldapPort:389Protocol:tcpScriptID:10722Summary:It is possible to disclose LDAP information.Description :Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner'
Solution:Disable NULL BASE queries on your LDAP serverCVSS Base Score : 5.0Family name: Remote file accessCategory: infosCopyright: Copyright (C) 2000 John Lampe....j_lampe@bellsouth.netSummary: Check for LDAP null baseVersion: $Revision: 128 $
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
No comments:
Post a Comment