How can I disable Null Base Search Access/Anonymous bind on RHDS?

Solution Verified - Updated -

Issue

  • After running a Nessus vulnerability scan, the following is shown regarding our LDAP server:
Synopsis
The remote LDAP server may disclose sensitive information.
Description
The remote LDAP server supports search requests with a null, or empty, base object. This allows information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool such as 'LdapMiner'.

Note that there are valid reasons to allow queries with a null base. For example, it is required in version 3 of the LDAP protocol to provide access to the root DSA-Specific Entry (DSE), with information about the supported naming context, authentication types, and the like. It also means that legitimate users can find information in the directory without any a priori knowledge of its structure. As such, this finding may be a false-positive.
  • How can we disable Null Base search access and/or anonymous binding?

Environment

  • Red Hat Directory Server

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In