We have a security vulnerability finding in which the LDAP server currently allows null base requests; thus possibly allowing more data to be
retrieved than should be. How can we constrain or prevent null base requests?
- If it is the DN on a bind operation, then the server can be set up via the slapd.conf to not allow anonymous binds.
The option for this would be disallow bind_anon.
- If it is the base DN on a search operation, this is valid LDAP syntax and accepted by the LDAP server. You can set up the
configuration to route any search request that comes in to a specific backend.
You would set in the config file defaultSearchBase host=xxx,o=xx,c=xx (for example).
The backend given by the suffix if ACF2 or TSS will reject the request and not allow it (invalid DN would be returned).
There are some applications that send in search requests with a NULL DN in order to query LDAP for the schema.
So by setting defaultSearchBase, those requests would then fail.