14.3 Improperly Configured LDAP Servers

Issue 1: Improperly configured LDAP servers allow any user to connect to the server and query for information.

An eDirectory LDAP server enables NULL BIND by default, but allows it to be disabled on the server. To enhance the security of the OES server, disable the NULL BIND on LDAP server port 389. See Configuring LDAP Services for NetIQ eDirectory in the NetIQ eDirectory 8.8 SP8 Administration Guide.

Issue 2: Improperly configured LDAP servers allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server through a tool such as LdapMiner.

An eDirectory LDAP server allows the directory BASE to be set to NULL, and there is no way to disable it. However, with the NULL BIND disabled, as previously mentioned, the security threat posed by this feature is minimized. For more information on NULL BIND, see Nessus Scan Results in the NetIQ eDirectory 8.8 SP8 Administration Guide.