Andrew Findlay wrote:
On Wed, Mar 09, 2011 at 04:34:16PM -0700, ldap@mm.st wrote:
A security scanner was run against our ldap severs and came back with a warning stating "The remote LDAP server supports search requests with a null, or empty, base object. This allows information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool . . ."
I assume the warning is due to the namingContext attribute and if desired an acl could be setup to stop the retrival on the information.
That seems very likely, and as you say an ACL could be used to prevent it. In this context the 'empty base object' refers to the Root DSE, and it contains information that some LDAP client programs depend on. Blocking access to it would almost certainly cause trouble for those clients.
It is very unlikely that the list of naming contexts and supported LDAP extensions is in any sense secret, so don't let some auditor bully you into breaking your system just to fit some tick-box notion of security. The important stuff comes further down in the DIT, and you need a tool specific to your organisational policy to point out exposures there.
When the tool doesn't even call the object by its proper name ("Root DSE") it's a sure sign the tool authors have no idea what they're talking about.