Nessus scan report: LDAP server allows NULL bind and NULL base

  • Document ID:7000737
  • Creation Date:23-Jun-2008
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      eDirectory

Environment


Novell eDirectory 8.8 for All Platforms
Novell eDirectory 8.7.3 for All Platforms

Situation

Nessus Scan Results

The following vulnerabilities were reported by Nessus port scan:

  • LDAP servers that are not properly configured allow users to connect to the server and query for information

    Explanation: Null Bind is enabled on eDirectory LDAP server by default, but allows it to be disabled on the server.

  • LDAP servers that are not properly configured set the directory base as null

    Explanation: Information can be picked even without prior knowledge of the directory structure. With the help of Null Bind, an anonymous user can query the LDAP server using tools like 'LdapMiner'.

Resolution

Solution: Disable Null Bind on the server. This is done by doing the following:

  • Open the properties of the LDAP Server object either in iManager
  • Choose the Connections tab
  • Under the Restrictions section; set Bind Restrictions to Disallow Anonymous Simple Bind

Solution: Although there is no way to disable it, security threat like this can be minimized by disabing Null Bind.