[Date Prev][Date Next] [Chronological] [Thread] [Top]

Null Search Base

To: openldap-technical@openldap.org
Subject: Null Search Base
From: ldap@mm.st
Date: Wed, 09 Mar 2011 16:34:16 -0700
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=message-id:from:to:mime-version:content-transfer-encoding:content-type:subject:date; s=smtpout; bh=xvcO9ijitc/SGzo+2sR43ghd2aU=; b=qhDC6HQ6hdFcK7/SXsr7fFg2gicFIbxhy8e/fYU+NeD8a/eiAaPf1Gsh4Y9NyOkqWGBT6o7kAyMGwb6547FJFHYaRAHupejxlxBfcmjRTjdwumLYYJeraDNluZnn/A6tvK0OQ3qLu+T+iu7qooLnq2JSsedfQiTxM477svUt7Vg=

A security scanner was run against our ldap severs and came back with a
warning stating "The remote LDAP server supports search requests with a
null, or empty, base object.  This allows information to be retrieved
without any prior knowledge of the directory structure.  Coupled with a
NULL BIND, an anonymous user may be able to query your LDAP server using
a tool . . ."  

I'm not overly concerned with the warning, but I was a little confused
what the scanner was reffering to.  I used the following search in an
effort to somewhat duplicate what the scanner was sending and what
information is retrieved and was hoping someone could commet if I was
ontrack.  I assume the warning is due to the namingContext attribute and
if desired an acl could be setup to stop the retrival on the
information.  This is on a RH5 openlap 2.3 server.

ldapsearch -x -s base -b '' -H  ldap://my.lapdap.server
"(objectClass=*)" "*" +  

I got back this:

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: o=mydomain
supportedControl: 1.3.6. .....
. . . .
supportedControl: 1.3.6. .....
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema

Follow-Ups:
- Re: Null Search Base
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Prev by Date: Re: syncrepl with with multiple subordinate databases
Next by Date: JLDAP question
Index(es):
- Chronological
- Thread