Chapter 8. Disabling anonymous binds
If a user attempts to connect to Directory Server without supplying any credentials, this operation is called anonymous bind
. Anonymous binds simplify searches and read operations, such as finding a phone number in the directory by not requiring users to authenticate first. However, anonymous binds can also be a security risk, because users without an account are able to access the data.
By default, anonymous binds are enabled in Directory Server for search and read operations. This allows unauthorized access to user entries as well as configuration entries, such as the root directory server entry (DSE).
8.1. Disabling anonymous binds using the command line
To increase the security, you can disable anonymous binds.
Procedure
Set the
nsslapd-allow-anonymous-access
configuration parameter tooff
:#
dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-allow-anonymous-access=off
Verification
Run a search without specifying a user account:
#
ldapsearch -H ldap://server.example.com -b "dc=example,dc=com" -x
ldap_bind: Inappropriate authentication (48) additional info: Anonymous access is not allowed
8.2. Disabling anonymous binds using the web console
To increase the security, you can disable anonymous binds.
Prerequisites
- You are logged in to the instance in the web console.
Procedure
-
Navigate to
. -
Set the
Allow Anonymous Access
parameter tooff
. - Click .
Verification
Run a search without specifying a user account:
#
ldapsearch -H ldap://server.example.com -b "dc=example,dc=com" -x
ldap_bind: Inappropriate authentication (48) additional info: Anonymous access is not allowed