Hi,

in my opinion this is not a security issue, but a feature compliant to the ldap rfcs. A server should expose a minimal set of information about itself, eg supported controls, saslmechanisms, namingcontexts even to anonymous users - and many applications rely on this.
If you really want to turn this off, you need to modify the aci for the "dn:" entry

Ludwig

On 03/11/2015 11:23 AM, Kay Cee wrote:

All clients connecting to our 389-ds server showed up this vulnerability on the scan. How do I fix this on my 389-ds server?

LDAP allows null bases

Risk:High

Application:ldap

Port:389

Protocol:tcp

ScriptID:10722

Summary:

It is possible to disclose LDAP information.

Description :

Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner'

Solution:

Disable NULL BASE queries on your LDAP server

CVSS Base Score : 5.0

Family name: Remote file access

Category: infos

Copyright: Copyright (C) 2000 John Lampe....j_lampe@bellsouth.net

Summary: Check for LDAP null base

Version: $Revision: 128 $
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users