[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: disable null base queries



Matthieu writes:

> I've run a nessus scan on my ldap server.  He notify
> me that my server is vulnerable to null base queries

Apparently Nessus thinks one should not be able to search an LDAP server
without prior knowledge about the search base.  If the purpose of your
LDAP server is to _help_ people with little prior knowledge to find
information, that's a feature, not a bug.

If you agree with Nessus, remove "defaultsearchbase" from slapd.conf
and add
    access to dn.base="" attrs=namingContexts by * none
to your access controls.  (Maybe you'll want to remove "BASE" from
"too public" ldap.conf's too.)

An alternative way to make data dumps more difficult is to shrink your
size limits.

-- 
Hallvard