LDAP Security ?
Question is about why LDAP server allows “Anonymous” access to all data..
We don’t have firewall but even if we block the port, LDAP in still open to INTERNAL NETWORK.
Why default setting of Zimbra is “Anonymous” access to all LDAP data
1) Download any LDAP Explorer tool (ie: windows .net tool ASP-DEv XM LDAP Explorer http://www.asp-dev.com/main.asp?page=200 )
2) only put INTERNAL or EXTERNAL IP of zimbra LDAP server (no username password) and you can access all LDAP data and usernames
How can we enable AUTH in LDAP so no data is visible thru “Anonymous” access from any network internal or external.
Can anyone confirm this behavior and what can we do to stop this to make it more secure.
I can confirm this (mis)behaviour.
It would be great to keep listening the LDAP Server on a public interface and restrict access to authenticated users with browsing restricted to the GAL of the users domain/organization. This would allow users of Thunderbird and other LDAP enabled MUA to use the GAL.
Unfortunately I'm not a LDAP guru.
If someone has a cookbook for that issue, please post ist here.
If you consider this behaviour to be a problem then file an RFE in bugzilla
We're currently investigating, and will have a followup soon.
It is open for browsing email address book.
You can use ipchains to restrict/firewall on the zimbra box.