Hi,

in my opinion this is not a security issue, but a feature compliant to the ldap rfcs. A server should expose a minimal set of information about itself, eg supported controls, saslmechanisms, namingcontexts even to anonymous users - and many applications rely on this.
If you really want to turn this off, you need to modify the aci for the "dn:" entry

Ludwig

On 03/11/2015 11:23 AM, Kay Cee wrote:
All clients connecting to our 389-ds server showed up this vulnerability on the scan. How do I fix this on my 389-ds server? 

LDAP allows null bases

Risk:High
Application:ldap
Port:389
Protocol:tcp
ScriptID:10722
Summary:
It is possible to disclose LDAP information.
Description :
Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner' 

Solution:
Disable NULL BASE queries on your LDAP server
CVSS Base Score : 5.0
Family name: Remote file access
Category: infos
Copyright: Copyright (C) 2000 John Lampe....j_lampe@bellsouth.net
Summary: Check for LDAP null base
Version: $Revision: 128 $



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users