How to disable anonymous access on LDAP
Solution 1
To completely disable anonymous bind, add this line to slapd.conf:
disallow bind_anon
and restart the slapd service.
Solution 2
If the accepted answer does not work for you (it didn't for me on Ubuntu), try the following.
Create ldiff file:
nano /usr/share/slapd/ldap_disable_bind_anon.ldif
Paste in this:
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
And then run:
ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/slapd/ldap_disable_bind_anon.ldif
Related videos on Youtube
Comments
-
Peter Sankauskas over 1 year
I need to secure my LDAP server and am not quite sure the best way to go about it. I am running Debian "Lenny", and using OpenLDAP (slapd).
I notice that if I run:
ldapsearch -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' 'objectclass=*'
and just press ENTER when it prompts for a password, that I get a list of directory entries. Anonymous access is not acceptable if I am opening this up to the internet, but cannot find a way to disable anonymous access.
I have tried modifying
/etc/ldap/slapd.conf
to the following:access to * by dn="cn=admin,dc=example,dc=com" write by * none
... but that doesn't do the trick.
After this, I will get it running over TLS, but it is pointless doing that step while still allowing anonymous access.
Any ideas?
-
RPB about 5 yearsworks on ubuntu!!
-
Al Klimov over 2 yearsAre the 1st and 3rd ones actually required?
-
Admin almost 2 yearsFor FreeBSD: This line "disallow bind_anon" should be added in the global section. Adding at the bottom did not work for me. freebsd.org/cgi/…