[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: internet scanner (Was: empty)

To: <chdonald@sh163.net>
Subject: Re: internet scanner (Was: empty)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 13 Oct 2001 16:22:02 -0700
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <001001c153c3$e73c6e70$29f882ca@donald>

At 01:49 AM 2001-10-13, chdonald@sh163.net wrote:
>  Hello !I use internet scanner to scan my openldap system,it finds several security bugs.

While these might be issues to consider, they are not bugs.

>1. use NULL bind entry can result in anonymous access

Yes, the server supports anonymous access. In 1.x, you can
disable anonymous read of user information through access
controls but cannot disable anonymous bind.  2.x does.

>2.cn=monitor can get some information from system
>3.cn=config can get some informaiton from system.

Yes.  IIRC, 1.x doesn't provide access controls on admin
entries.  2.x does.

>I want to know how can I close these features.
>I can't find any useful informations in Openldap adminstration  and FAQ.So pleas help me.

If you after more security features, I recommend using 2.x.
1.x is provided to support environments with LDAPv2 legacy
directories needs.

Kurt

References:
- [no subject]
  - From: <chdonald@sh163.net>

Prev by Date: Re: --disable-rlookups?
Next by Date: Re: ldap_add: Already exists
Index(es):
- Chronological
- Thread