CA LDAP for Top Secret - Prevent allows null base requests.
Article ID: 54004
ACF2ACF2 - DB2 OptionACF2 for zVMACF2 - z/OSACF2 - MISC24X7 High-Availability Manager for DB2 for z/OSBatch ProcessorCompile QQFData Compressor for DB2 for z/OSCA Unicenter NSMRC/Update for DB2 for z/OSDB2 TOOLS- DATABASE MISCTop SecretTop Secret - LDAP
We have a security vulnerability finding in which the LDAP server currently allows null base requests; thus possibly allowing more data to be retrieved than should be. How can we constrain or prevent null base requests?
If it is the DN on a bind operation, then the server can be set up via the slapd.conf to not allow anonymous binds. The option for this would be disallow bind_anon.
If it is the base DN on a search operation, this is valid LDAP syntax and accepted by the LDAP server. You can set up the configuration to route any search request that comes in to a specific backend. You would set in the config file defaultSearchBase host=xxx,o=xx,c=xx (for example). The backend given by the suffix if ACF2 or TSS will reject the request and not allow it (invalid DN would be returned). There are some applications that send in search requests with a NULL DN in order to query LDAP for the schema. So by setting defaultSearchBase, those requests would then fail.