skynetonsecurity (at) gmail (dot) com [email concealed] wrote:
> I am looking for solution on disabling null Bind for LDAP installed on CentOS?
>
> Is there any way to disable it because while doing Vulnerability assessment for
> one of the customers I could fetch out all the users names with the NT & LM hashes
> from Domain Controller.( Using (objectClass=*) this filter )
Are you looking for a way to disable the ldap utility on the Linux host
because it's able to perform an anonymous bind against a Windows AD server?
You'd be better off disabling anonymous binds on the AD server which
would solve the real security issue.
If you're looking at ways to tighten down access to an OpenLDAP server,
you might consider using some ACLs like the following, which require
authenticated binds and SSL/TLS connections (ie, no plain text):
access to dn.exact=""
by * read
access to dn.subtree="cn=Subschema"
by * read
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator
accounts,ou=group,dc=openldap,dc=example,dc=com" read
by anonymous auth
by * none
access to dn.subtree="ou=people,dc=openldap,dc=example,dc=com"
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator
accounts,ou=group,dc=openldap,dc=example,dc=com" read
by users read
access to dn.subtree="ou=idmap,dc=openldap,dc=example,dc=com"
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=idmap
admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator
accounts,ou=group,dc=openldap,dc=example,dc=com" read
by * auth
access to *
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator
accounts,ou=group,dc=openldap,dc=example,dc=com" read
by
group="cn=vmail-admins,ou=group,dc=openldap,dc=example,dc=com" read
by self read
by anonymous auth
security ssf=128
--
Josh Miller, RHCE/VCP
Seattle, WA
Linux Solutions Provider
http://itsecureadmin.com/
> I am looking for solution on disabling null Bind for LDAP installed on CentOS?
>
> Is there any way to disable it because while doing Vulnerability assessment for
> one of the customers I could fetch out all the users names with the NT & LM hashes
> from Domain Controller.( Using (objectClass=*) this filter )
Are you looking for a way to disable the ldap utility on the Linux host
because it's able to perform an anonymous bind against a Windows AD server?
You'd be better off disabling anonymous binds on the AD server which
would solve the real security issue.
If you're looking at ways to tighten down access to an OpenLDAP server,
you might consider using some ACLs like the following, which require
authenticated binds and SSL/TLS connections (ie, no plain text):
access to dn.exact=""
by * read
access to dn.subtree="cn=Subschema"
by * read
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator
accounts,ou=group,dc=openldap,dc=example,dc=com" read
by anonymous auth
by * none
access to dn.subtree="ou=people,dc=openldap,dc=example,dc=com"
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator
accounts,ou=group,dc=openldap,dc=example,dc=com" read
by users read
access to dn.subtree="ou=idmap,dc=openldap,dc=example,dc=com"
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=idmap
admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator
accounts,ou=group,dc=openldap,dc=example,dc=com" read
by * auth
access to *
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator
accounts,ou=group,dc=openldap,dc=example,dc=com" read
by
group="cn=vmail-admins,ou=group,dc=openldap,dc=example,dc=com" read
by self read
by anonymous auth
security ssf=128
--
Josh Miller, RHCE/VCP
Seattle, WA
Linux Solutions Provider
http://itsecureadmin.com/
[ reply ]