Home / server / Questions / 63916
Accepted
Peter Sankauskas
Asked: 2009-09-10 13:24:01 +0800 CST

How to disable anonymous access on LDAP

  • 772

I need to secure my LDAP server and am not quite sure the best way to go about it. I am running Debian "Lenny", and using OpenLDAP (slapd).

I notice that if I run:

ldapsearch -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' 'objectclass=*'

and just press ENTER when it prompts for a password, that I get a list of directory entries. Anonymous access is not acceptable if I am opening this up to the internet, but cannot find a way to disable anonymous access.

I have tried modifying /etc/ldap/slapd.conf to the following:

access to *
    by dn="cn=admin,dc=example,dc=com" write
    by * none

... but that doesn't do the trick.

After this, I will get it running over TLS, but it is pointless doing that step while still allowing anonymous access.

Any ideas?

security

3 Answers

  1. If the accepted answer does not work for you (it didn't for me on Ubuntu), try the following.

    Create ldiff file:

    nano /usr/share/slapd/ldap_disable_bind_anon.ldif

    Paste in this:

    dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

    And then run:

    ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/slapd/ldap_disable_bind_anon.ldif
    • 21
  2. Best Answer

    To completely disable anonymous bind, add this line to slapd.conf:

    disallow bind_anon

    and restart the slapd service.

    • 7

  3. Since you are planning to go SSL/TLS soon, you may want to consider using client certificate verification to further tighten your security. Stunnel with -v -A options would do nicely.

    • 0