LDAP server dumps its schema,

Posted on 2010-04-05
Medium Priority
Last Modified: 2013-12-24
Hi All,

An attacker could access the LDAP schema to gain information about the LDAP server.

The LDAP server dumps its schema, which can show all necessary attributes needed for an object, including hidden or non-readable attributes. An attacker could use this information to access directory listings

Administrators are recommended to disable the cn=schema entry in the LDAP configuration file or allow only authorized users to view LDAP logs.

Please tell me the step by step that which line in which file need to be modified to resolve the above vulnerability on server

Question by:apunkabollywood

Assisted Solution

jwilleke earned 300 total points
ID: 29889087
My two cents:
I can not see this as a vulnerability.

If you have not prevented proper access to the entries, you are in trouble regardless of the schema.

Many applications fetch the schema anonymously for proper operation.

This is no different than data base management systems allow reading the table structure, anonymously for proper operation.

You do not mention which LDAP Vendor you are using and applying Access Controls, to block access to the subschemaSubentry is vendor dependent.

LVL 68

Accepted Solution

woolmilkporc earned 1200 total points
ID: 29890808
Hi again,
do you run LDAP at all?
Check with
telnet hostname 389
telnet hostname 636
(if SSL is being used).
Should you only get the message "telnet: connect: A remote host refused an attempted connect operation" there is most probably no LDAP running.
Else, if you do have LDAP running, consult chapters 14 ("Access Control") and 15 ("Securing the directory") of this rather informative Redbook - http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf
(assuming that you use IBM TDS).
Basically, you will have to disallow anonymous access (page 404 of the above Redbook).  "cn=schema" is required by TDS (afaik), so its deletion is not allowed.

Author Closing Comment

ID: 31711159

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this article, we’ll look at how to deploy ProxySQL.
What we learned in Webroot's webinar on multi-vector protection.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question