[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Crafted Search Request Access Allowed

To: openldap-technical@openldap.org
Subject: Re: LDAP Crafted Search Request Access Allowed
From: Dieter Klünter <dieter@dkluenter.de>
Date: Mon, 27 Oct 2014 17:09:30 +0100
In-reply-to: <CAP7y58MvgEu9UcVZJy-iaih2iSTpm-0X1KhyuMX_S3ryfoxs-w@mail.gmail.com>
Organization: AVCI
References: <CAP7y58MvgEu9UcVZJy-iaih2iSTpm-0X1KhyuMX_S3ryfoxs-w@mail.gmail.com>

Am Mon, 27 Oct 2014 10:53:07 -0300
schrieb Net Warrior <netwarrior863@gmail.com>:

> Hi there guys.
> 
> Recently we had an internal audit and it seems that our opelndap
> server is not configured properly, it seems that null bind are
> allowed and Crafted request as well are permited and it would be nice
> if anyone of you  could lend me a hand to fix this:
> 
> There are the access list:
> 
> olcAccess: {0}to attrs=userPassword by
> dn="cn=Manager,dc=domain,dc=com" wr ite by anonymous auth by self
> write by * none
> 
> olcAccess: {1}to
> attrs=cn,sn,memberUid,uidNumber,pwdHistory,pwdPolicySubentry,
> gidNumber,homeDirectory,givenName,description,loginShell by self
> write by ano
> nymous read by * none
> 
> olcAccess: {2}to dn.base="" by * read
> 
> olcAccess: {3}to * by dn="cn=Manager,dc=domain,dc=com" write by * read
> 
> And from a client I got the following:
> 
> ldapsearch -x -s base -b '' -H ldap://ldapserver "(objectClass=*)"
> "*" + # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectClass=*)
> # requesting: * +
> 
> #
> dn:
> objectClass: top
> objectClass: OpenLDAProotDSE
> structuralObjectClass: OpenLDAProotDSE
> configContext: cn=config
> monitorContext: cn=Monitor
> namingContexts: dc=domain,dc=com
> supportedControl: 2.16.840.1.113730.3.4.18
> supportedControl: 2.16.840.1.113730.3.4.2
> 
> supportedControl: 1.3.6.1.4.1.4203.1.10.1
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.2.826.0.1.3344810.2.3
> supportedControl: 1.3.6.1.1.13.2
> supportedControl: 1.3.6.1.1.13.1
> supportedControl: 1.3.6.1.1.12
> supportedExtension: 1.3.6.1.4.1.1466.20037
> supportedExtension: 1.3.6.1.4.1.4203.1.11.1
> supportedExtension: 1.3.6.1.4.1.4203.1.11.3
> supportedExtension: 1.3.6.1.1.8
> supportedFeatures: 1.3.6.1.1.14
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
> supportedLDAPVersion: 3
> entryDN:
> subschemaSubentry: cn=Subschema
> It seems it's no good at all, any help appreciated
> Best regards

A LDAP client should know the servers capabilities in order to connect
in conformance with the protocol. So there is nothing bad about this
search result.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: LDAP Crafted Search Request Access Allowed
  - From: Net Warrior <netwarrior863@gmail.com>

References:
- LDAP Crafted Search Request Access Allowed
  - From: Net Warrior <netwarrior863@gmail.com>

Prev by Date: Duda
Next by Date: Fwd: Duda
Index(es):
- Chronological
- Thread