Chapter 36. Disabling Anonymous Binds

Accessing domain resources and running client tools always require Kerberos authentication. However, the back end LDAP directory used by the IdM server allows anonymous binds by default. This potentially opens up all of the domain configuration to unauthorized users, including information about users, machines, groups, services, netgroups, and DNS configuration.
It is possible to disable anonymous binds on the 389 Directory Server instance by using LDAP tools to reset the nsslapd-allow-anonymous-access attribute.

Warning

Certain clients rely on anonymous binds to discover IdM settings. Additionally, the compat tree can break for legacy clients that are not using authentication.
  1. Change the nsslapd-allow-anonymous-access attribute to rootdse.
    $ ldapmodify -x -D "cn=Directory Manager" -W -h server.example.com -p 389 -ZZ
    Enter LDAP Password:
    dn: cn=config
    changetype: modify
    replace: nsslapd-allow-anonymous-access
    nsslapd-allow-anonymous-access: rootdse
    
    modifying entry "cn=config"

    Important

    Anonymous access can be completely allowed (on) or completely blocked (off). However, completely blocking anonymous access also blocks external clients from checking the server configuration. LDAP and web clients are not necessarily domain clients, so they connect anonymously to read the root DSE file to get connection information.
    The rootdse allows access to the root DSE and server configuration without any access to the directory data.
  2. Restart the 389 Directory Server instance to load the new setting.
    # systemctl restart dirsrv.target
Additional Resources: