Disallow global anonymous bind with cn=config

Solution 1:

Not that quanta's ACLs are a bad thing, but to answer your question:

ldapmodify
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

Please be aware that ldapmodify is sensitive to (trailing) spaces, so a straight copy paste won't work (and may not authenticate your properly either). Also, the dn you use will need write access to the cn=config db.

Solution 2:

Variation on the same theme, I tried it out, works: LDAP security tips at SysadminTalk

Summary:

1) Create a file, let's call it disable_anon_frontend.ldif with the following content:

dn: olcDatabase={-1}frontend,cn=config
add: olcRequires
olcRequires: authc

2) Create another file called disable_anon_backend.ldif with the following content:

dn: olcDatabase={1}hdb,cn=config
add: olcRequires
olcRequires: authc

3) Then on the server, modify the LDAP by issuing the following commands:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f disable_anon_frontend.ldif
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f disable_anon_backend.ldif

4) Check by executing the following anon query: ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=domain,dc=com dn (use your dc=... settings as applicable).

If you see the error message below, then anonymous access has been successfully disabled:

Server is unwilling to perform (53)
Additional information: authentication required

Good luck!

Solution 3:

I've not tested but try something like this:

dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: to attrs=userPassword 
    by dn="cn=admin,dc=example,dc=com" write 
    by self write 
    by * none
olcAccess: to dn.base="" 
    by users read 
    by * none
olcAccess: to * 
    by dn="cn=admin,dc=example,dc=com" write 
    by * none

Disallow global anonymous bind with cn=config

Solution 1:

Solution 2:

Solution 3:

Related

Recent Posts