Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Disable Anonymous LDAP Browse

  1. #1
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    7

    Unhappy Disable Anonymous LDAP Browse

    I saw a posting from over 2 years ago about not being able to disable anonymous LDAP browsing...

    I that still a limitation? If so, that is a SERIOUS limitation and it creates a critical security hole in the product! (Is it time for a vulnerability posting to OSVDB? )

    If it is a limitation, when will this issue be fixed?

    If it is not still an issue, how do you disable anonymous LDAP browsing?

  2. #2
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    Looks like the work on this is still in progress according to

    Bug 15378 – Obviate the need for and disallow LDAP anonymous binds

    until it's merged into GA you should use firewall to restrict access to the zimbra ldap service

  3. #3
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Could LDAP not be bound to the localhost instead ?

  4. #4
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    7

    Default

    Normally, I would limit LDAP to bind to local host. However, my client is running an email appliance that pulls the list of valid users (and other information) from the Zimbra LDAP directory. Thus, as a work-around until LDAP authentication is implemented, I will use iptables to limit access to the LDAP port to be only localhost and the email appliance.

  5. #5
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    The bug referenced above is now marked as FIXED, but when I browse using anonymous authentication with Apache Directory Studio, I still see all the user email addresses (and some other info). I'm coming in from the MTA-trusted network, but I doubt that should matter, should it?

    Am I missing something? Exposure of valid email addresses via LDAP would seem to invite harvesting by spammers. Yet if I firewall off LDAP, this will be inconvenient for users with dynamic IP addresses (travellers & telecommuters).

  6. #6
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    It's fixed for GnR release - in ZCS 6.0 the new behavior is:

    Anonymous searches of the LDAP directory:
    -Are disabled on fresh installs.
    -Are allowed on upgrades
    , matching the old behavior of previous releases.

    T
    o disable anonymous access after upgrading: On each LDAP server run /opt/zimbra/libexec/zmldapanon -d as the zimbra user.

    To enable anonymous access at any point: On each LDAP server run /opt/zimbra/libexec/zmldapanon -e as the zimbra user.
    Last edited by mmorse; 03-01-2009 at 12:09 AM. Reason: emphasis

  7. #7
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

  8. #8
    Join Date
    Mar 2007
    Location
    Oslo, Norway
    Posts
    123
    Rep Power
    8

    Default

    I know that telnet againt host/port will check for this being open, but in like GQ, what do i have to type to test if i can list users?

  9. #9
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    You could run a GUI LDAP browser such as the one I suggested above, or use

    ldapsearch -h <zimbra server> -x -b "<dc suffix of users you want to list>"

    e.g.

    ldapsearch -h zimbra.company.com -x -b "dc=zimbra,dc=company,dc=com"

    It seems these days you're supposed to use the -H switch instead of -h. That would look like:

    ldapsearch -H ldap://<zimbra server> -x -b "<dc suffix of users you want to list>"
    Last edited by ewilen; 03-02-2009 at 01:35 PM.

  10. #10
    Join Date
    Sep 2008
    Posts
    11
    Rep Power
    7

    Default

    Quote Originally Posted by jon.kibler@aset.com View Post
    Normally, I would limit LDAP to bind to local host. However, my client is running an email appliance that pulls the list of valid users (and other information) from the Zimbra LDAP directory. Thus, as a work-around until LDAP authentication is implemented, I will use iptables to limit access to the LDAP port to be only localhost and the email appliance.
    Hello,
    Could you post the rule you use in iptables to avoid public access to LDAP?

    Thanks

Similar Threads

  1. upgrading from 5.0.4 to 5.0.5 opensource
    By smoke in forum Installation
    Replies: 4
    Last Post: 10-19-2008, 11:38 AM
  2. Replies: 8
    Last Post: 08-07-2008, 06:18 AM
  3. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 11:12 AM
  4. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 07:45 AM
  5. disable anonymous LDAP access
    By sasha in forum Administrators
    Replies: 10
    Last Post: 02-19-2007, 04:06 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •