search cancel

CA LDAP for Top Secret - Prevent allows null base requests.

book

Article ID: 54004

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC 24X7 High-Availability Manager for DB2 for z/OS Batch Processor Compile QQF Data Compressor for DB2 for z/OS CA Unicenter NSM RC/Update for DB2 for z/OS DB2 TOOLS- DATABASE MISC Top Secret Top Secret - LDAP

Issue/Introduction

Description:

We have a security vulnerability finding in which the LDAP server currently allows null base requests; thus possibly allowing more data to be
retrieved than should be. How can we constrain or prevent null base requests?

Solution:

  1. If it is the DN on a bind operation, then the server can be set up via the slapd.conf to not allow anonymous binds.
    The option for this would be disallow bind_anon.

  2. If it is the base DN on a search operation, this is valid LDAP syntax and accepted by the LDAP server. You can set up the
    configuration to route any search request that comes in to a specific backend.
    You would set in the config file defaultSearchBase host=xxx,o=xx,c=xx (for example).
    The backend given by the suffix if ACF2 or TSS will reject the request and not allow it (invalid DN would be returned).
    There are some applications that send in search requests with a NULL DN in order to query LDAP for the schema.
    So by setting defaultSearchBase, those requests would then fail.

Environment

Release:
Component: TSSLDP