[Fedora-directory-devel] wishlist & anonymous binds

Mike Jackson mj at sci.fi
Sat Jun 4 21:05:10 UTC 2005 

Dave Coyle [contractor] wrote:
> The Wishlist page [ http://directory.fedora.redhat.com/wiki/Wishlist ] lists
> 'option to disable anonymous binds' as a desired feature, but one can
> already do this via ACIs, e.g.:
> 
> aci: (targetattr="*")(version 3.0; acl "deny anonymous access by default";
> deny (all) userdn="ldap:///anyone";)
> 
> Would this provide what was desired, or is there more to the feature
> request?

There is a lot more to this feature request.

Note that "anonymous bind" and "anonymous access" are two different things.


An LDAP server has 3 external interfaces:

  - authentication
  - data access
  - replication


The authentication interface is not controlled by access controls, but 
it is controlled by password policies (time of day, from which IP, max 
password failures, etc) if they are enabled. The authentication 
interface is often used by itself, with no data access requests sent to 
the server, when applications only authenticate users via LDAP.

To use the data access interface, you must first bind via the 
authentication interface. The bind is either anonymous, or as a user in 
the directory. Depending on the access controls, you may or may not be 
able to read any data.

The reason why it is desirable to be able to disable anonymous binds is 
that (poorly coded) applications which only authenticate users from LDAP 
  will authenticate a user to the application, even if the user gives a 
blank username and password. To the LDAP server, when you don't give a 
username and password, you are binding anonymously, and the server will 
always return SUCCESS to the authentication handler. You can always bind 
anonymously to an LDAP server.

Well coded applications should trap these empty strings before sending 
the bind, and substitute the empty strings with random text, etc, so 
that an anonymous bind will not be sent and the credentials which are 
sent will cause the bind to fail.


Mike

-- 
LDAP Directory Consulting - http://www.netauth.com

More information about the Fedora-directory-devel mailing list