Security Basics mailing list archives
Re: Null Bind in LDAP configured on CentOS
From: Josh Miller <joshua () itsecureadmin com>
Date: Thu, 28 Aug 2008 14:24:57 -0700
skynetonsecurity () gmail com wrote:
I am looking for solution on disabling null Bind for LDAP installed on CentOS?Is there any way to disable it because while doing Vulnerability assessment for one of the customers I could fetch out all the users names with the NT & LM hashes from Domain Controller.( Using (objectClass=*) this filter )
Are you looking for a way to disable the ldap utility on the Linux host because it's able to perform an anonymous bind against a Windows AD server?
You'd be better off disabling anonymous binds on the AD server which would solve the real security issue.
If you're looking at ways to tighten down access to an OpenLDAP server, you might consider using some ACLs like the following, which require authenticated binds and SSL/TLS connections (ie, no plain text):
access to dn.exact="" by * read access to dn.subtree="cn=Subschema" by * read access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" writeby group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
by anonymous auth by * none access to dn.subtree="ou=people,dc=openldap,dc=example,dc=com" by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" writeby group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
by users read access to dn.subtree="ou=idmap,dc=openldap,dc=example,dc=com" by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" writeby group="cn=idmap admins,ou=group,dc=openldap,dc=example,dc=com" write by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
by * auth access to * by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" writeby group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read by group="cn=vmail-admins,ou=group,dc=openldap,dc=example,dc=com" read
by self read by anonymous auth security ssf=128 -- Josh Miller, RHCE/VCP Seattle, WA Linux Solutions Provider http://itsecureadmin.com/
Current thread:
- Null Bind in LDAP configured on CentOS skynetonsecurity (Aug 28)
- Re: Null Bind in LDAP configured on CentOS Josh Miller (Aug 28)