LDAP and Apache security issues detected by network scan on Netware 6 servers

Posted on 2006-04-24
Last Modified: 2008-01-09
My network has been scanned and my Netware 6.0 servers were found to have numerous issues regarding LDAP and Apache.  I have search and have not been able to find anything that works.  Security alerts are as follows:

LDAP Nullbind
LDAP NullSubtree
LDAP Schema

Any help will be appreciated.
Question by:clpease
    LVL 34

    Expert Comment

    Ah, network scans. Great way to make money for the consultants. Never mind you pay them for what you could easily do yourself.

    NetWare v6.0 loads an LDAP server by default. Kinda stupid, but everyone got into the habit of emulating Micro$oft and turning on most services in default installs.

    You certainly don't need more than one or two LDAP servers in any network, and if you don't use LDAP-enabled services, then you don't need the LDAP server component at all. You can disable it on each NetWare server by unloading NLDAP.NLM. You can make the change permanent by commenting out (or deleting) the "LOAD NLDAP.NLM" statement in AUTOEXEC.NCF.

    Similarly, the Apache webserver was a default component of NetWare v6.0. There may be two instances of Apache - a "user" instance for typical web pages, and an "admin" instance for iManager, Novell's web-based management interface for the eDirectory/NetWare environment. Look for lines like "ADMSRVUP" and "APWEBUP" in AUTOEXEC.NCF.
    LVL 35

    Expert Comment

    Note that if you rem out ADMSRVUP (or NVXADMUP on NW6) then you won't have iManager access.

    If they explain the "TokenNotSet" alert, perhaps you can address that, without crippling your administration capabilities.
    LVL 35

    Expert Comment

    Also note that Tomcat uses secure LDAP to authenticate, and tomcat is what is used for iManager, so it may be unwise to simply unload/rem out NLDAP too.  Maybe set up your LDAP group to only allow secure LDAP?
    LVL 35

    Expert Comment

    Also, it'd be nice to know what SP level your NW6 servers are at, because there may be security vulnerabilities in the SP you're running under.  There actually were a handful of security issues that have been addressed over the years, that applying the SP/patch may have closed one or more of the things found by the scan.

    Author Comment

    I was able to find a fix for the LDAP issues by going into Console1 under the LDAP Server object properties and then restrictions.  Under the bind restrictions you can set to diable anonymous etc.

    Still have the others as they relate to apache and http.  And I have NetStorage, NDPS, FTP server, and iManager so I can't stop the web server etc.

    I am running Netware 6 SP5 and edirectory
    LVL 35

    Expert Comment

    So what's left is the "HTTP TraceEnabled" and "ApacheServer TokenNotSet" ?

    The TraceEnabled thing can be disabled using a Mod_rewrite method as per this CERT note:

    I'd think you'd add it to sys:/apache/http.conf

    The TokenNotSet thing is another directive, also set in the http.conf file, if I'm not mistaken.  Here's a link with info on that.
    LVL 35

    Accepted Solution

    Oops, miskey - that'd be httpd.conf, not http.conf... :P

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
    It can often be challenging to stay relevant in the rapidly evolving world of technology. This can make recruiting talent difficult for companies of all sizes.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    This video discusses moving either the default database or any database to a new volume.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now