Ludwig Krispenz wrote: > Hi, > > in my opinion this is not a security issue, but a feature compliant to > the ldap rfcs. A server should expose a minimal set of information about > itself, eg supported controls, saslmechanisms, namingcontexts even to > anonymous users - and many applications rely on this. > If you really want to turn this off, you need to modify the aci for the > "dn:" entry He might also want to look at nsslapd-allow-anonymous-access to disable all anonymous access to the server. I agree that being able to read the rootDSE probably isn't a big deal. rob > > Ludwig > > On 03/11/2015 11:23 AM, Kay Cee wrote: >> All clients connecting to our 389-ds server showed up this >> vulnerability on the scan. How do I fix this on my 389-ds server? >> >> LDAP allows null bases >> >> Risk:High >> Application:ldap >> Port:389 >> Protocol:tcp >> ScriptID:10722 >> Summary: >> It is possible to disclose LDAP information. >> Description : >> Improperly configured LDAP servers will allow the directory BASE to be >> set to NULL. This allows information to be culled without any prior >> knowledge of the directory structure. Coupled with a NULL BIND, an >> anonymous user can query your LDAP server using a tool such as >> 'LdapMiner' >> >> Solution: >> Disable NULL BASE queries on your LDAP server >> CVSS Base Score : 5.0 >> Family name: Remote file access >> Category: infos >> Copyright: Copyright (C) 2000 John Lampe....j_lampe@xxxxxxxxxxxxx >> <mailto:Lampe....j_lampe@xxxxxxxxxxxxx> >> Summary: Check for LDAP null base >> Version: $Revision: 128 $ >> >> >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
