Show Table of Contents
28.3. Disabling Anonymous Binds
Accessing domain resources and running client tools always require Kerberos authentication. However, the backend LDAP directory used by the IdM server allows anonymous binds by default. This potentially opens up all of the domain configuration to unauthorized users, including information about users, machines, groups, services, netgroups, and DNS configuration.
It is possible to disable anonymous binds on the 389 Directory Server instance by using LDAP tools to reset the
nsslapd-allow-anonymous-access attribute.
- Change the
nsslapd-allow-anonymous-accessattribute torootdse.ldapmodify -x -D "cn=Directory Manager" -w secret -h server.example.com -p 389 Enter LDAP Password: dn: cn=config changetype: modify replace: nsslapd-allow-anonymous-access nsslapd-allow-anonymous-access: rootdse
Important
Anonymous access can be completely allowed (on) or completely blocked (off). However, completely blocking anonymous access also blocks external clients from checking the server configuration. LDAP and web clients are not necessarily domain clients, so they connect anonymously to read the root DSE file to get connection information.Therootdseallows access to the root DSE and server configuration without any access to the directory data. - Restart the 389 Directory Server instance to load the new setting.
service dirsrv restart
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.