[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Null Search Base

On Wed, Mar 09, 2011 at 04:34:16PM -0700, ldap@mm.st wrote:

> A security scanner was run against our ldap severs and came back with a
> warning stating "The remote LDAP server supports search requests with a
> null, or empty, base object.  This allows information to be retrieved
> without any prior knowledge of the directory structure.  Coupled with a
> NULL BIND, an anonymous user may be able to query your LDAP server using
> a tool . . ."  

> I assume the warning is due to the namingContext attribute and
> if desired an acl could be setup to stop the retrival on the
> information.

That seems very likely, and as you say an ACL could be used to prevent
it. In this context the 'empty base object' refers to the Root DSE, and
it contains information that some LDAP client programs depend on.
Blocking access to it would almost certainly cause trouble for those

It is very unlikely that the list of naming contexts and supported LDAP
extensions is in any sense secret, so don't let some auditor bully you
into breaking your system just to fit some tick-box notion of security.
The important stuff comes further down in the DIT, and you need a tool
specific to your organisational policy to point out exposures there.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |