LDAP server dumps its schema,

Hi All,

An attacker could access the LDAP schema to gain information about the LDAP server.

The LDAP server dumps its schema, which can show all necessary attributes needed for an object, including hidden or non-readable attributes. An attacker could use this information to access directory listings


Administrators are recommended to disable the cn=schema entry in the LDAP configuration file or allow only authorized users to view LDAP logs.

Please tell me the step by step that which line in which file need to be modified to resolve the above vulnerability on server

Thanks
apunkabollywoodAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jwillekeCommented:
My two cents:
I can not see this as a vulnerability.

If you have not prevented proper access to the entries, you are in trouble regardless of the schema.

Many applications fetch the schema anonymously for proper operation.

This is no different than data base management systems allow reading the table structure, anonymously for proper operation.

You do not mention which LDAP Vendor you are using and applying Access Controls, to block access to the subschemaSubentry is vendor dependent.

-jim
0
woolmilkporcCommented:
Hi again,
do you run LDAP at all?
Check with
telnet hostname 389
or
telnet hostname 636
(if SSL is being used).
Should you only get the message "telnet: connect: A remote host refused an attempted connect operation" there is most probably no LDAP running.
Else, if you do have LDAP running, consult chapters 14 ("Access Control") and 15 ("Securing the directory") of this rather informative Redbook - http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf
(assuming that you use IBM TDS).
Basically, you will have to disallow anonymous access (page 404 of the above Redbook).  "cn=schema" is required by TDS (afaik), so its deletion is not allowed.
wmp
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
apunkabollywoodAuthor Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.