Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Null Bind in LDAP configured on CentOS

From: Josh Miller <joshua () itsecureadmin com>
Date: Thu, 28 Aug 2008 14:24:57 -0700
skynetonsecurity () gmail com wrote:

I am looking for solution on disabling null Bind for  LDAP installed on CentOS?
Is there any way to disable it because while doing Vulnerability assessment for one of the customers I could fetch out all the users names with the NT & LM hashes from Domain Controller.( Using (objectClass=*) this filter )
Are you looking for a way to disable the ldap utility on the Linux host because it's able to perform an anonymous bind against a Windows AD server?
You'd be better off disabling anonymous binds on the AD server which would solve the real security issue.
If you're looking at ways to tighten down access to an OpenLDAP server, you might consider using some ACLs like the following, which require authenticated binds and SSL/TLS connections (ie, no plain text): 

access to dn.exact=""
        by * read

access to dn.subtree="cn=Subschema"
        by * read

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by self write
        by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read 
        by anonymous auth
        by * none

access to dn.subtree="ou=people,dc=openldap,dc=example,dc=com"
        by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read 
        by users read

access to dn.subtree="ou=idmap,dc=openldap,dc=example,dc=com"
        by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=idmap admins,ou=group,dc=openldap,dc=example,dc=com" write by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read 
        by * auth

access to *
        by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read by group="cn=vmail-admins,ou=group,dc=openldap,dc=example,dc=com" read 
        by self read
        by anonymous auth

security ssf=128


--
Josh Miller, RHCE/VCP
Seattle, WA
Linux Solutions Provider
http://itsecureadmin.com/
Previous By Date Next
Previous By Thread Next

Current thread: