How to disable anonymous access on LDAP

Question

I need to secure my LDAP server and am not quite sure the best way to go about it. I am running Debian "Lenny", and using OpenLDAP (slapd).

I notice that if I run:

ldapsearch -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' 'objectclass=*'

and just press ENTER when it prompts for a password, that I get a list of directory entries. Anonymous access is not acceptable if I am opening this up to the internet, but cannot find a way to disable anonymous access.

I have tried modifying /etc/ldap/slapd.conf to the following:

access to *
    by dn="cn=admin,dc=example,dc=com" write
    by * none

... but that doesn't do the trick.

After this, I will get it running over TLS, but it is pointless doing that step while still allowing anonymous access.

Any ideas?

TLS is not completely pointless. It also allows securing passwords for non-anonymous binds, and making sure it's really your LDAP server you're connecting to. — user1686, Sep 10 '09 at 04:42

score 22 · Answer 1 · edited Mar 03 '17 at 14:49

22

If the accepted answer does not work for you (it didn't for me on Ubuntu), try the following.

Create ldiff file:

nano /usr/share/slapd/ldap_disable_bind_anon.ldif

Paste in this:

dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

And then run:

ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/slapd/ldap_disable_bind_anon.ldif

edited Mar 03 '17 at 14:49

Slye

33
1
7

answered Feb 02 '16 at 19:10

gavanon

529
4
13

1

works on ubuntu!! – RPB Feb 26 '19 at 06:51
Are the 1st and 3rd ones actually required? – Al Klimov Jan 16 '22 at 13:38

score 7 · Accepted Answer · edited Jul 07 '15 at 19:20

7

To completely disable anonymous bind, add this line to slapd.conf:

disallow bind_anon

and restart the slapd service.

edited Jul 07 '15 at 19:20

030

5,901
13
68
110

answered Sep 10 '09 at 00:09

Josh Budde

2,378
14
7

For FreeBSD: This line "disallow bind_anon" should be added in the global section. Adding at the bottom did not work for me. https://www.freebsd.org/cgi/man.cgi?query=slapd.conf&apropos=0&sektion=0&manpath=FreeBSD+9.3-RELEASE+and+Ports&arch=default&format=html – sunil_rbc Jun 01 '22 at 07:51
AS @sunil_rbc mentioned, works on FreeBSD as long as you add this config in the global section of slapd.conf – Codigo Morsa Mar 11 '23 at 19:39

score 0 · Answer 3 · answered Sep 10 '09 at 00:43

0

Since you are planning to go SSL/TLS soon, you may want to consider using client certificate verification to further tighten your security. Stunnel with -v -A options would do nicely.

answered Sep 10 '09 at 00:43

sybreon

7,405
1
21
20

How to disable anonymous access on LDAP

3 Answers3