[HowTo] Disallow global anonymous bind in OpenLDAP 2.4+

Hello everybody,

In this post I will explain the simplest method to disable global anonymous binding using cn=config. This method can be easily adapted for a static configuration using slapd.conf. I am not an OpenLDAP expert but in my previous [HowTo] about OpenLDAP 2.4+, the default configuration allow anonymous binding and everybody can read the content of the database.

The best way to solve problem of access is to use ACL but sometime it’s a little complicated. In my case, I just tell to OpenLDAP to globally disabled anonymous bind and force it to use authentication when someone tries to access to the frontend database.

Simply execute this ldif file using ldapmodify.

 And execute it using this command:

 Now, we someone try to read the content of the database anonymously, he receives an error message like this:

 If you want to be able to read the content, you must provide the bind DN and corresponding password.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInShare on RedditShare on StumbleUponShare on TumblrPin on PinterestFlattr the authorDigg thisBuffer this pagePrint this page

1 comment

  1. Hi there,

    After doing this we are unable to login to the server using Ldap? the user list doesn’t seem to be seen and a getent passwd no longer shows any ldap users? are me missing something to allow the authentication?

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *