LDAP server exposes too much information to an unauthenticated query #62
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Without any authentication, you can query for the usernames and some other sensitive information. Since we are also using SSH on the standard port, an attacker could brute-force a particular user that they found by doing an LDAP query.
Eh, this isn't too important since a determined attacker could get the usernames using other methods. The only other "sensitive" info you can get from an unauthenticated LDAP query is their UID number and home directory, which isn't sensitive at all.
While our LDAP server is exposed to the internet, I don't want to mess with LDAP configs since it works and it's probably going to break if I try to tweak things.