[HowTo] Disallow global anonymous bind in OpenLDAP 2.4+

Hello everybody,

In this post I will explain the simplest method to disable global anonymous binding using cn=config. This method can be easily adapted for a static configuration using slapd.conf. I am not an OpenLDAP expert but in my previous [HowTo] about OpenLDAP 2.4+, the default configuration allow anonymous binding and everybody can read the content of the database.

The best way to solve problem of access is to use ACL but sometime it’s a little complicated. In my case, I just tell to OpenLDAP to globally disabled anonymous bind and force it to use authentication when someone tries to access to the frontend database.

Simply execute this ldif file using ldapmodify.

dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

 And execute it using this command:

ldapmodify -Y EXTERNAL -H ldapi:// -f test.ldif

 Now, we someone try to read the content of the database anonymously, he receives an error message like this:

ldapsearch -x -H ldap://192.168.100.5
ldap_bind: Inappropriate authentication (48)
        additional info: anonymous bind disallowed

 If you want to be able to read the content, you must provide the bind DN and corresponding password.

ldapsearch -x -H ldap://192.168.241.75 -D "cn=admin,dc=gremaud,dc=ch" -W
Bookmark the permalink.

2 Comments

  1. Hi there,

    After doing this we are unable to login to the server using Ldap? the user list doesn’t seem to be seen and a getent passwd no longer shows any ldap users? are me missing something to allow the authentication?

    Thanks

  2. How to re-enable anonymous login once it is disabled. Can you please provide ldif file for this

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.