10

With slapd.conf you could globally disable anonymous binding and require authentication with the following static directives:

disallow bind_anon
require authc

How can I achieve the same global settings, but using the new cn=config live configuration method?

Michael P
  • 297
  • 2
  • 3
  • 10

3 Answers3

11

Variation on the same theme, I tried it out, works: LDAP security tips at SysadminTalk

Summary:

1) Create a file, let's call it disable_anon_frontend.ldif with the following content:

dn: olcDatabase={-1}frontend,cn=config
add: olcRequires
olcRequires: authc

2) Create another file called disable_anon_backend.ldif with the following content:

dn: olcDatabase={1}hdb,cn=config
add: olcRequires
olcRequires: authc

3) Then on the server, modify the LDAP by issuing the following commands:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f disable_anon_frontend.ldif
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f disable_anon_backend.ldif

4) Check by executing the following anon query: ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=domain,dc=com dn (use your dc=... settings as applicable).

If you see the error message below, then anonymous access has been successfully disabled:

Server is unwilling to perform (53)
Additional information: authentication required

Good luck!

András Aszódi
  • 291
  • 3
  • 9
  • 2
    Welcome to Server Fault! While this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference. – HopelessN00b Feb 07 '13 at 14:26
  • 2
    Thanks, you're absolutely right, I edited my answer as recommended. – András Aszódi Feb 07 '13 at 14:50
7

Not that quanta's ACLs are a bad thing, but to answer your question:

ldapmodify
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

Please be aware that ldapmodify is sensitive to (trailing) spaces, so a straight copy paste won't work (and may not authenticate your properly either). Also, the dn you use will need write access to the cn=config db.

84104
  • 12,905
  • 6
  • 45
  • 76
1

I've not tested but try something like this:

dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: to attrs=userPassword 
    by dn="cn=admin,dc=example,dc=com" write 
    by self write 
    by * none
olcAccess: to dn.base="" 
    by users read 
    by * none
olcAccess: to * 
    by dn="cn=admin,dc=example,dc=com" write 
    by * none
quanta
  • 51,413
  • 19
  • 159
  • 217
  • Thanks, this is how I am currently doing it per database. However, my question was how to do it globally. – Michael P Oct 29 '11 at 22:18