| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
10-17-2008, 07:23 AM
| | Intermediate Member | |
Posts: 17
| |  Disable Anonymous LDAP Browse
I saw a posting from over 2 years ago about not being able to disable anonymous LDAP browsing...
I that still a limitation? If so, that is a SERIOUS limitation and it creates a critical security hole in the product! (Is it time for a vulnerability posting to OSVDB?  )
If it is a limitation, when will this issue be fixed?
If it is not still an issue, how do you disable anonymous LDAP browsing? |
10-17-2008, 08:25 AM
| | |
Could LDAP not be bound to the localhost instead ?
__________________  |
10-17-2008, 08:46 AM
| | Intermediate Member | |
Posts: 17
| |
Normally, I would limit LDAP to bind to local host. However, my client is running an email appliance that pulls the list of valid users (and other information) from the Zimbra LDAP directory. Thus, as a work-around until LDAP authentication is implemented, I will use iptables to limit access to the LDAP port to be only localhost and the email appliance. |
02-28-2009, 10:16 PM
| | |
The bug referenced above is now marked as FIXED, but when I browse using anonymous authentication with Apache Directory Studio, I still see all the user email addresses (and some other info). I'm coming in from the MTA-trusted network, but I doubt that should matter, should it?
Am I missing something? Exposure of valid email addresses via LDAP would seem to invite harvesting by spammers. Yet if I firewall off LDAP, this will be inconvenient for users with dynamic IP addresses (travellers & telecommuters). |
02-28-2009, 10:56 PM
| | |
It's fixed for GnR release - in ZCS 6.0 the new behavior is:
Anonymous searches of the LDAP directory:
-Are disabled on fresh installs.
-Are allowed on upgrades, matching the old behavior of previous releases.
To disable anonymous access after upgrading: On each LDAP server run /opt/zimbra/libexec/zmldapanon -d as the zimbra user.
To enable anonymous access at any point: On each LDAP server run /opt/zimbra/libexec/zmldapanon -e as the zimbra user.
Last edited by mmorse; 02-28-2009 at 11:09 PM..
Reason: emphasis
|
02-28-2009, 11:28 PM
| | |
Thanks very much! |
03-01-2009, 12:53 AM
| | Trained Alumni | |
Posts: 123
| |
I know that telnet againt host/port will check for this being open, but in like GQ, what do i have to type to test if i can list users? |
03-02-2009, 12:21 PM
| | |
You could run a GUI LDAP browser such as the one I suggested above, or use
ldapsearch -h <zimbra server> -x -b "<dc suffix of users you want to list>"
e.g.
ldapsearch -h zimbra.company.com -x -b "dc=zimbra,dc=company,dc=com"
It seems these days you're supposed to use the -H switch instead of -h. That would look like:
ldapsearch -H ldap://<zimbra server> -x -b "<dc suffix of users you want to list>"
Last edited by ewilen; 03-02-2009 at 12:35 PM..
|
03-12-2009, 10:04 AM
| | |
Quote:
Originally Posted by jon.kibler@aset.com  Normally, I would limit LDAP to bind to local host. However, my client is running an email appliance that pulls the list of valid users (and other information) from the Zimbra LDAP directory. Thus, as a work-around until LDAP authentication is implemented, I will use iptables to limit access to the LDAP port to be only localhost and the email appliance. | Hello,
Could you post the rule you use in iptables to avoid public access to LDAP?
Thanks | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
