4 messages in org.openldap.openldap-softwareDisable NULL BASE queries| From | Sent On | Attachments |
|---|---|---|
| Shawn McKinney | Feb 5, 2004 11:38 am | |
| Pierangelo Masarati | Feb 5, 2004 12:19 pm | |
| Dieter Kluenter | Feb 5, 2004 12:40 pm | |
| Kurt D. Zeilenga | Feb 5, 2004 1:50 pm |
| Subject: | Disable NULL BASE queries | |
|---|---|---|
| From: | Shawn McKinney (smmt...@sbcglobal.net) | |
| Date: | Feb 5, 2004 11:38:46 am | |
| List: | org.openldap.openldap-software | |
Greetings All,
I am running a standalone, non-replicated instance of OpenLDAP v 2.1.22 on a Sun
E250 server with Solaris 2.8 installed. Currently the box is being used for
testing purposes. My problem is as follows:
We are running the slapd instance in our coporate extranet. Subsequent security
scans by an independent security contractor has detected what is described as a
security hole in our LDAP server. The exact verbage of their report is:
Improperly configured LDAP servers will allow the directory BASE
to be set to NULL. This allows information to be
culled without any prior knowledge of the directory
structure. Coupled with a NULL BIND, an anonymous
user can query your LDAP server using a tool such
as LdapMiner
Solution: Disable NULL BASE queries on your LDAP server
Risk factor : Medium
I have disabled NULL binds but can't find any documentation outlining how to
"Disable NULL BASE queries" on this server. Anyone have any ideas? We want to
be able to use OpenLDAP but if I can't figure this problem out we may need to
use another product.
Thanks,
Shawn