CA LDAP for Top Secret - Prevent allows null base requests.
book
Article ID: 54004
calendar_today
Updated On:
Products
ACF2ACF2 - DB2 OptionACF2 for zVMACF2 - z/OSACF2 - MISC24X7 High-Availability Manager for DB2 for z/OSBatch ProcessorCompile QQFData Compressor for DB2 for z/OSCA Unicenter NSMRC/Update for DB2 for z/OSDB2 TOOLS- DATABASE MISCTop SecretTop Secret - LDAP
Issue/Introduction
We have a security vulnerability finding in which the LDAP server currently allows null base requests; thus possibly allowing more data to be retrieved than should be. How can we constrain or prevent null base requests?
Environment
Release: Component: TSSLDP
Resolution
If it is the DN on a bind operation, then the server can be set up via the slapd.conf to not allow anonymous binds. The option for this would be disallow bind_anon.
If it is the base DN on a search operation, this is valid LDAP syntax and accepted by the LDAP server. You can set up the configuration to route any search request that comes in to a specific backend. You would set in the config file defaultSearchBase host=xxx,o=xx,c=xx (for example). The backend given by the suffix if ACF2 or TSS will reject the request and not allow it (invalid DN would be returned). There are some applications that send in search requests with a NULL DN in order to query LDAP for the schema. So by setting defaultSearchBase, those requests would then fail.