Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 10-17-2008, 07:23 AM
Intermediate Member
 
Posts: 17
Unhappy Disable Anonymous LDAP Browse

I saw a posting from over 2 years ago about not being able to disable anonymous LDAP browsing...

I that still a limitation? If so, that is a SERIOUS limitation and it creates a critical security hole in the product! (Is it time for a vulnerability posting to OSVDB? )

If it is a limitation, when will this issue be fixed?

If it is not still an issue, how do you disable anonymous LDAP browsing?
Reply With Quote
  #2 (permalink)  
Old 10-17-2008, 07:36 AM
Moderator
 
Posts: 1,554
Default

Looks like the work on this is still in progress according to

Bug 15378 – Obviate the need for and disallow LDAP anonymous binds

until it's merged into GA you should use firewall to restrict access to the zimbra ldap service
Reply With Quote
  #3 (permalink)  
Old 10-17-2008, 08:25 AM
Moderator
 
Posts: 7,928
Default

Could LDAP not be bound to the localhost instead ?
__________________
Reply With Quote
  #4 (permalink)  
Old 10-17-2008, 08:46 AM
Intermediate Member
 
Posts: 17
Default

Normally, I would limit LDAP to bind to local host. However, my client is running an email appliance that pulls the list of valid users (and other information) from the Zimbra LDAP directory. Thus, as a work-around until LDAP authentication is implemented, I will use iptables to limit access to the LDAP port to be only localhost and the email appliance.
Reply With Quote
  #5 (permalink)  
Old 02-28-2009, 10:16 PM
Moderator
 
Posts: 1,432
Default

The bug referenced above is now marked as FIXED, but when I browse using anonymous authentication with Apache Directory Studio, I still see all the user email addresses (and some other info). I'm coming in from the MTA-trusted network, but I doubt that should matter, should it?

Am I missing something? Exposure of valid email addresses via LDAP would seem to invite harvesting by spammers. Yet if I firewall off LDAP, this will be inconvenient for users with dynamic IP addresses (travellers & telecommuters).
__________________
Elliot Wilen
Berkeley, CA

Don't forget to enter your Zimbra version in your forum profile.
Reply With Quote
  #6 (permalink)  
Old 02-28-2009, 10:56 PM
Moderator
 
Posts: 6,237
Default

It's fixed for GnR release - in ZCS 6.0 the new behavior is:

Anonymous searches of the LDAP directory:
-Are disabled on fresh installs.
-Are allowed on upgrades
, matching the old behavior of previous releases.

T
o disable anonymous access after upgrading: On each LDAP server run /opt/zimbra/libexec/zmldapanon -d as the zimbra user.

To enable anonymous access at any point: On each LDAP server run /opt/zimbra/libexec/zmldapanon -e as the zimbra user.

Last edited by mmorse; 02-28-2009 at 11:09 PM.. Reason: emphasis
Reply With Quote
  #7 (permalink)  
Old 02-28-2009, 11:28 PM
Moderator
 
Posts: 1,432
Default

Thanks very much!
__________________
Elliot Wilen
Berkeley, CA

Don't forget to enter your Zimbra version in your forum profile.
Reply With Quote
  #8 (permalink)  
Old 03-01-2009, 12:53 AM
Trained Alumni
 
Posts: 123
Default

I know that telnet againt host/port will check for this being open, but in like GQ, what do i have to type to test if i can list users?
Reply With Quote
  #9 (permalink)  
Old 03-02-2009, 12:21 PM
Moderator
 
Posts: 1,432
Default

You could run a GUI LDAP browser such as the one I suggested above, or use

ldapsearch -h <zimbra server> -x -b "<dc suffix of users you want to list>"

e.g.

ldapsearch -h zimbra.company.com -x -b "dc=zimbra,dc=company,dc=com"

It seems these days you're supposed to use the -H switch instead of -h. That would look like:

ldapsearch -H ldap://<zimbra server> -x -b "<dc suffix of users you want to list>"
__________________
Elliot Wilen
Berkeley, CA

Don't forget to enter your Zimbra version in your forum profile.

Last edited by ewilen; 03-02-2009 at 12:35 PM..
Reply With Quote
  #10 (permalink)  
Old 03-12-2009, 10:04 AM
Member
 
Posts: 11
Default

Quote:
Originally Posted by jon.kibler@aset.com View Post
Normally, I would limit LDAP to bind to local host. However, my client is running an email appliance that pulls the list of valid users (and other information) from the Zimbra LDAP directory. Thus, as a work-around until LDAP authentication is implemented, I will use iptables to limit access to the LDAP port to be only localhost and the email appliance.
Hello,
Could you post the rule you use in iptables to avoid public access to LDAP?

Thanks
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com




 

SEO by vBSEO ©2011, Crawlability, Inc.