7.6. Allowing Unauthenticated Binds

An unauthenticated bind is a bind where the user supplies a username but not a password. For example, running an ldapsearch without supplying a password option:
/usr/lib/mozldap/ldapsearch -D "cn=directory manager" -b "dc=example,dc=com" -s sub "(objectclass=*)"
When unauthenticated binds are allowed, the bind attempt goes through as an anonymous bind.
Unauthenticated binds are less secure than authenticated binds, and in some directories can be used to circumvent ACIs or performs denial-of-service attacks. This is why in Directory Server unauthenticated binds are disabled by default. If a user tries to bind without a password, the attempt fails:
ldap_simple_bind: DSA is unwilling to perform
ldap_simple_bind: additional info: Unauthenticated binds are not allowed
Unauthenticated binds only apply to bind attempts where a password is not given but a bind identity is. If the wrong password is given, the operation fails with an invalid credentials error:
ldap_simple_bind: Invalid credentials
If no bind ID or password is given, then the directory returns whatever information is allowed for an anonymous bind.
The nsslapd-allow-unauthenticated-binds attribute sets whether to allow an unauthenticated bind to succeed as an anonymous bind. Setting this parameter to on allows unauthenticated binds. By default, this parameter is off.
To configure unauthenticated binds, edit the Directory Server dse.ldif file:
/usr/lib/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=config
replace: nsslapd-allow-unauthenticated-binds
nsslapd-allow-unauthenticated-binds: on