Re: Null Bind in LDAP configured on CentOS

skynetonsecurity@xxxxxxxxx wrote:
I am looking for solution on disabling null Bind for LDAP installed on CentOS?

Is there any way to disable it because while doing Vulnerability assessment for one of the customers I could fetch out all the users names with the NT & LM hashes from Domain Controller.( Using (objectClass=*) this filter )

Are you looking for a way to disable the ldap utility on the Linux host because it's able to perform an anonymous bind against a Windows AD server?

You'd be better off disabling anonymous binds on the AD server which would solve the real security issue.

If you're looking at ways to tighten down access to an OpenLDAP server, you might consider using some ACLs like the following, which require authenticated binds and SSL/TLS connections (ie, no plain text):

access to dn.exact=""
by * read

access to dn.subtree="cn=Subschema"
by * read

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
by anonymous auth
by * none

access to dn.subtree="ou=people,dc=openldap,dc=example,dc=com"
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
by users read

access to dn.subtree="ou=idmap,dc=openldap,dc=example,dc=com"
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=idmap admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
by * auth

access to *
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
by group="cn=vmail-admins,ou=group,dc=openldap,dc=example,dc=com" read
by self read
by anonymous auth

security ssf=128


--
Josh Miller, RHCE/VCP
Seattle, WA
Linux Solutions Provider
http://itsecureadmin.com/

Relevant Pages

  • Re: What are the best general things to do after a dirty shutdown (Server SBS)
    ... Could not open NTDS Service on ALPHA, ... I had some similar issues wiht one customer on Win2008, and disabling IPv6 took care of it. ... Verifying that the local machine ALPHA, is a Directory Server. ... The DFS Replication Event Log. ...
    (microsoft.public.windows.server.sbs)
  • Re: Slow Network Speed from 2008 Server
    ... Network Adaptor properties which are a bit scary. ... I'm running AD on it as well as SQL Server 2005. ... noticed after setting up a Virtual machine, that the DHCP didn't ...
    (microsoft.public.windows.server.networking)
  • Re: Slow Network Speed from 2008 Server
    ... Network Adaptor properties which are a bit scary. ... I'm running AD on it as well as SQL Server 2005. ... that the DHCP didn't work. ...
    (microsoft.public.windows.server.networking)
  • Re: GPO error no appropriate rights
    ... > message when you try to edit a GPO while logged on as the system admin. ... Install the Windows Small Business Server 2003 Update for Windows XP ... > from disabling the ISA Firewall client. ...
    (microsoft.public.windows.server.sbs)
  • Re: Administrator account hijacked?
    ... Disabling NDR on Exchange 2003 ... Non-delivery reports have a very legitimate purpose and are used to ... global white lists defined by mail server administrators. ... have been sent from the Administrator account in the past two ...
    (microsoft.public.windows.server.sbs)