Zimbra

jon.kibler@aset.com · #1 (**permalink**) 10-17-2008, 08:23 AM

I saw a posting from over 2 years ago about not being able to disable anonymous LDAP browsing...

I that still a limitation? If so, that is a SERIOUS limitation and it creates a critical security hole in the product! (Is it time for a vulnerability posting to OSVDB?

)

If it is a limitation, when will this issue be fixed?

If it is not still an issue, how do you disable anonymous LDAP browsing?

bdial · #2 (**permalink**) 10-17-2008, 08:36 AM

Looks like the work on this is still in progress according to

Bug 15378 – Obviate the need for and disallow LDAP anonymous binds

until it's merged into GA you should use firewall to restrict access to the zimbra ldap service

uxbod · #3 (**permalink**) 10-17-2008, 09:25 AM

Could LDAP not be bound to the localhost instead ?

jon.kibler@aset.com · #4 (**permalink**) 10-17-2008, 09:46 AM

Normally, I would limit LDAP to bind to local host. However, my client is running an email appliance that pulls the list of valid users (and other information) from the Zimbra LDAP directory. Thus, as a work-around until LDAP authentication is implemented, I will use iptables to limit access to the LDAP port to be only localhost and the email appliance.

ewilen · #5 (**permalink**) 02-28-2009, 11:16 PM

The bug referenced above is now marked as FIXED, but when I browse using anonymous authentication with Apache Directory Studio, I still see all the user email addresses (and some other info). I'm coming in from the MTA-trusted network, but I doubt that should matter, should it?

Am I missing something? Exposure of valid email addresses via LDAP would seem to invite harvesting by spammers. Yet if I firewall off LDAP, this will be inconvenient for users with dynamic IP addresses (travellers & telecommuters).

mmorse · #6 (**permalink**) 02-28-2009, 11:56 PM

It's fixed for GnR release - in ZCS 6.0 the new behavior is:

Anonymous searches of the LDAP directory:
-Are disabled on fresh installs.
-Are allowed on upgrades, matching the old behavior of previous releases.

To disable anonymous access after upgrading: On each LDAP server run /opt/zimbra/libexec/zmldapanon -d as the zimbra user.

To enable anonymous access at any point: On each LDAP server run /opt/zimbra/libexec/zmldapanon -e as the zimbra user.

ewilen · #7 (**permalink**) 03-01-2009, 12:28 AM

Thanks very much!

flums · #8 (**permalink**) 03-01-2009, 01:53 AM

I know that telnet againt host/port will check for this being open, but in like GQ, what do i have to type to test if i can list users?

ewilen · #9 (**permalink**) 03-02-2009, 01:21 PM

You could run a GUI LDAP browser such as the one I suggested above, or use

ldapsearch -h <zimbra server> -x -b "<dc suffix of users you want to list>"

e.g.

ldapsearch -h zimbra.company.com -x -b "dc=zimbra,dc=company,dc=com"

It seems these days you're supposed to use the -H switch instead of -h. That would look like:

ldapsearch -H ldap://<zimbra server> -x -b "<dc suffix of users you want to list>"

163828045 · #10 (**permalink**) 03-12-2009, 11:04 AM

Quote:

Originally Posted by jon.kibler@aset.com

Normally, I would limit LDAP to bind to local host. However, my client is running an email appliance that pulls the list of valid users (and other information) from the Zimbra LDAP directory. Thus, as a work-around until LDAP authentication is implemented, I will use iptables to limit access to the LDAP port to be only localhost and the email appliance.

Hello,
Could you post the rule you use in iptables to avoid public access to LDAP?

Thanks

Zimbra

Downloads

Product Information

Toolbox

Why Join?