[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Howto fix LDAP Nullbind vulnerability (part II)

To: "Rafael Angarita" <rangarita@telcel.net.ve>
Subject: Re: Howto fix LDAP Nullbind vulnerability (part II)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 30 Dec 2002 10:33:34 -0800
Cc: "Rafael Angarita" <rangarita@telcel.net.ve>, <openldap-software@OpenLDAP.org>
In-reply-to: <00be01c2ad57$9e55fa70$3c891fc8@curare>
References: <5.2.0.9.0.20021216195314.02625cf8@127.0.0.1> <5.2.0.9.0.20021217161642.019ff458@127.0.0.1>

At 07:25 PM 12/26/2002, Rafael Angarita wrote:
>    In short the questiions are:
>    1. What is a NullBind?

As I noted above, I believe they use this term to refer to an
anonymous bind.

>    2. What should I add to my slapd.conf file to fix it.

In 1.2, there is no way to disable the bind itself.  Instead
one restricts access to directory information using ACLs.

>    3. How can I test this running an ldapsearch?

Don't specify -D nor -W/-w and attempt to read the directory.
Your ACLs should protect what you don't want accessed.

>    Thanks for your help,
>
>    PS: I'm using openldap 1.2.13

You might consider using a more recent version...

>> For 1.2, I suggest you check out the U-Mich LDAP Guide
>> <http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/>,
>> browse really old archives of this list, and ACL
>> example in the test directory.  Or toy with examples for
>> 2.0/2.1 which can be found in later documentation and
>> the FAQ (many should work just fine in 1.2).
>>
>> Kurt

References:
- Re: Howto fix LDAP Nullbind vulnerability
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Howto fix LDAP Nullbind vulnerability
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Howto fix LDAP Nullbind vulnerability (part II)
  - From: "Rafael Angarita" <rangarita@telcel.net.ve>

Prev by Date: Re: SuSE Security Announcement
Next by Date: Re: error in slapd.conf
Index(es):
- Chronological
- Thread