Update:
I followed this tutorial and it seems to be working now
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
[root@-freeipa /]# ldapmodify -x -D "cn=Directory Manager" -W -H ldap://
10.0.0.9:389
Enter LDAP Password:
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
modifying entry "cn=config"
[root@-freeipa /]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@-freeipa /]# ldapsearch -x -b "dc=example,dc=com" -H ldap://
10.0.0.9:389 "(objectClass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#
# search result
search: 2
result: 48 Inappropriate authentication
text: Anonymous access is not allowed.
On Wed, Sep 27, 2023 at 1:30 PM Duarte Petiz <duarte.petiz(a)jscrambler.com>
wrote:
Hey everyone!
I have been using freeipa since 2 months ago.
Now i asked for an internal pentest and the pentesters found this:
Without authentication they can obtain information about our freeipa (that
uses ldap as backend as you know).
ldapsearch -x -b "dc=example,dc=com" -H ldap://10.0.0.9:389
"(objectClass=*)"
There is any way to protect it? How can I achieve that?
--
*Kind Regards*
*Duarte Petiz*
*DevOps Team Lead *|
jscrambler.com
--
*Kind Regards*
*Duarte Petiz*
*DevOps Team Lead *|
jscrambler.com