[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Disable NULL BASE queries

> Greetings All,
> I am running a standalone, non-replicated instance of OpenLDAP v 2.1.22
> on a Sun E250 server with Solaris 2.8 installed.  Currently the box is
> being used for testing purposes.  My problem is as follows:
> We are running the slapd instance in our coporate extranet.  Subsequent
> security scans by an independent security contractor has detected what
> is described as a security hole in our LDAP server.  The exact verbage
> of their report is:
> Improperly configured LDAP servers will allow the directory BASE
> to be set to NULL. This allows information to be
> culled without any prior knowledge of the directory
> structure. Coupled with a NULL BIND, an anonymous
> user can query your LDAP server using a tool such
> as ?LdapMiner?
> Solution: Disable NULL BASE queries on your LDAP server
> Risk factor : Medium
> I have disabled NULL binds but can't find any documentation outlining
> how to "Disable NULL BASE queries" on this server.  Anyone have any
> ideas?  We want to be able to use OpenLDAP but if I can't figure this
> problem out we may need to use another product.


access to dn.exact=""
    by users read
    by * none

replace "read" with whatever permissions you want users
to have on the rootDSE, and "users" with whatever stricter
set of non-anonymous users you want.  Note that this
partially defeats the purpose of a directory server,
because only clients that know what naming context this
DSA is serving will be able to use it.  I'd rather leave
the rootDSE readable by anonymous and protect entries from
anonymous data mining, unless even the overhead resulting
from potential data mining is a concern.


Pierangelo Masarati