A security scanner was run against our ldap severs and came back with a warning stating "The remote LDAP server supports search requests with a null, or empty, base object. This allows information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool . . ."
I'm not overly concerned with the warning, but I was a little confused what the scanner was reffering to. I used the following search in an effort to somewhat duplicate what the scanner was sending and what information is retrieved and was hoping someone could commet if I was ontrack. I assume the warning is due to the namingContext attribute and if desired an acl could be setup to stop the retrival on the information. This is on a RH5 openlap 2.3 server.
ldapsearch -x -s base -b '' -H ldap://my.lapdap.server "(objectClass=*)" "*" +
I got back this:
# dn: objectClass: top objectClass: OpenLDAProotDSE structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: o=mydomain supportedControl: 1.3.6. ..... . . . . supportedControl: 1.3.6. ..... supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema
On Wed, Mar 09, 2011 at 04:34:16PM -0700, ldap@mm.st wrote:
A security scanner was run against our ldap severs and came back with a warning stating "The remote LDAP server supports search requests with a null, or empty, base object. This allows information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool . . ."
I assume the warning is due to the namingContext attribute and if desired an acl could be setup to stop the retrival on the information.
That seems very likely, and as you say an ACL could be used to prevent it. In this context the 'empty base object' refers to the Root DSE, and it contains information that some LDAP client programs depend on. Blocking access to it would almost certainly cause trouble for those clients.
It is very unlikely that the list of naming contexts and supported LDAP extensions is in any sense secret, so don't let some auditor bully you into breaking your system just to fit some tick-box notion of security. The important stuff comes further down in the DIT, and you need a tool specific to your organisational policy to point out exposures there.
Andrew
Andrew Findlay wrote:
On Wed, Mar 09, 2011 at 04:34:16PM -0700, ldap@mm.st wrote:
A security scanner was run against our ldap severs and came back with a warning stating "The remote LDAP server supports search requests with a null, or empty, base object. This allows information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool . . ."
I assume the warning is due to the namingContext attribute and if desired an acl could be setup to stop the retrival on the information.
That seems very likely, and as you say an ACL could be used to prevent it. In this context the 'empty base object' refers to the Root DSE, and it contains information that some LDAP client programs depend on. Blocking access to it would almost certainly cause trouble for those clients.
It is very unlikely that the list of naming contexts and supported LDAP extensions is in any sense secret, so don't let some auditor bully you into breaking your system just to fit some tick-box notion of security. The important stuff comes further down in the DIT, and you need a tool specific to your organisational policy to point out exposures there.
When the tool doesn't even call the object by its proper name ("Root DSE") it's a sure sign the tool authors have no idea what they're talking about.
openldap-technical@openldap.org
-
Andrew Findlay -
Howard Chu -
ldap@mm.st