[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Null Search Base



Andrew Findlay wrote:
On Wed, Mar 09, 2011 at 04:34:16PM -0700, ldap@mm.st wrote:

A security scanner was run against our ldap severs and came back with a
warning stating "The remote LDAP server supports search requests with a
null, or empty, base object.  This allows information to be retrieved
without any prior knowledge of the directory structure.  Coupled with a
NULL BIND, an anonymous user may be able to query your LDAP server using
a tool . . ."

I assume the warning is due to the namingContext attribute and
if desired an acl could be setup to stop the retrival on the
information.

That seems very likely, and as you say an ACL could be used to prevent
it. In this context the 'empty base object' refers to the Root DSE, and
it contains information that some LDAP client programs depend on.
Blocking access to it would almost certainly cause trouble for those
clients.

It is very unlikely that the list of naming contexts and supported LDAP
extensions is in any sense secret, so don't let some auditor bully you
into breaking your system just to fit some tick-box notion of security.
The important stuff comes further down in the DIT, and you need a tool
specific to your organisational policy to point out exposures there.

When the tool doesn't even call the object by its proper name ("Root DSE") it's a sure sign the tool authors have no idea what they're talking about.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/