How can I disable Null Base Search Access/Anonymous bind on RHDS?
Issue
- After running a Nessus vulnerability scan, the following is shown regarding our LDAP server:
Synopsis
The remote LDAP server may disclose sensitive information.
Description
The remote LDAP server supports search requests with a null, or empty, base object. This allows information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool such as 'LdapMiner'.
Note that there are valid reasons to allow queries with a null base. For example, it is required in version 3 of the LDAP protocol to provide access to the root DSA-Specific Entry (DSE), with information about the supported naming context, authentication types, and the like. It also means that legitimate users can find information in the directory without any a priori knowledge of its structure. As such, this finding may be a false-positive.
- How can we disable Null Base search access and/or anonymous binding?
Environment
- Red Hat Directory Server
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
