CA LDAP for Top Secret - Prevent allows null base requests.
Article ID: 54004
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
24X7 High-Availability Manager for DB2 for z/OS
Batch Processor
Compile QQF
Data Compressor for DB2 for z/OS
CA Unicenter NSM
RC/Update for DB2 for z/OS
DB2 TOOLS- DATABASE MISC
Top Secret
Top Secret - LDAP
Issue/Introduction
We have a security vulnerability finding in which the LDAP server currently allows null base requests; thus possibly allowing more data to be
retrieved than should be. How can we constrain or prevent null base requests?
Environment
Release:
Component: TSSLDP
Component: TSSLDP
Resolution
- If it is the DN on a bind operation, then the server can be set up via the slapd.conf to not allow anonymous binds.
The option for this would be disallow bind_anon. - If it is the base DN on a search operation, this is valid LDAP syntax and accepted by the LDAP server. You can set up the
configuration to route any search request that comes in to a specific backend.
You would set in the config file defaultSearchBase host=xxx,o=xx,c=xx (for example).
The backend given by the suffix if ACF2 or TSS will reject the request and not allow it (invalid DN would be returned).
There are some applications that send in search requests with a NULL DN in order to query LDAP for the schema.
So by setting defaultSearchBase, those requests would then fail.
Feedback
Yes
No
Powered by
