Hi,
in my opinion this is not a security issue, but a feature compliant to the ldap rfcs. A server should expose a minimal set of information about itself, eg supported controls, saslmechanisms, namingcontexts even to anonymous users - and many applications rely on this. If you really want to turn this off, you need to modify the aci for the "dn:" entry
Ludwig
On 03/11/2015 11:23 AM, Kay Cee wrote:
All clients connecting to our 389-ds server showed up this vulnerability on the scan. How do I fix this on my 389-ds server?
LDAP allows null bases
Risk:High Application:ldap Port:389 Protocol:tcp ScriptID:10722 Summary: It is possible to disclose LDAP information. Description : Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner'
Solution: Disable NULL BASE queries on your LDAP server CVSS Base Score : 5.0 Family name: Remote file access Category: infos Copyright: Copyright (C) 2000 John Lampe....j_lampe@bellsouth.net mailto:Lampe....j_lampe@bellsouth.net Summary: Check for LDAP null base Version: $Revision: 128 $
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users