[389-users] anonymous access

Techie techchavez at gmail.com
Tue Jul 28 14:20:01 UTC 2009 

On Tue, Jul 28, 2009 at 2:13 AM, John A. Sullivan
III<jsullivan at opensourcedevel.com> wrote:
> On Mon, 2009-07-27 at 23:29 -0700, Techie wrote:
>> Hello,
>> I am trying to altogether eliminate anonymous access to my directory.
>> However in doing this my authentication fails unless....I add a binddn
>> and bindpw to the ldap.conf on the clients.
>> As I understand it "bindpw" is inappropriate according to the OpenLDAP
>> architects.
>>
>> So my situation right now looks like this. I have a ldap.conf
>> populated with a binddn and bindpw entry.
>> This allows me to remove anonymous access and authenticate to the
>> directory with ldap user credentials.
>> This is what I want, I just do not want to store a username and pass
>> in the ldap.conf file.
>>
>> However if I remove this binddn and bindpw entry, and I disallow
>> anonymous access, I am unable to authenticate against the directory
>> using ldap user credentials. Even though upon attempting to login i am
>> supplying valid LDAP user credentials it cannot find the user because
>> it initially binds as "nobody"  or 'dn=""  in the access log and is
>> unable to locate attributes do to the lack of anonymous access.
>>
>> Is there a way to have LDAP use the credential of the user logging in
>> to bind to the directory initially.
>> What are my options?
>> I can force SASL GSSAPI but it it not ideal in my situation.
>>
> <snip>
> As far as I know (and that's not very far), that's the way it is.  How
> else would the client be able to query the directory.  We made sure we
> did not use a sensitive password and also ensured the ldap.conf file was
> NOT world readable.  We also had to implement some custom ACIs to
> replace anonymous access and, I'm surprised how many applications simply
> assume anonymous access; we had to do a bit of dancing on a per
> application basis to make them work.  Hope this helps - John
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan at opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
John,
It does help, thank you. Currently I use an account for the binddn
that has only read access to a subset of attributes. not much damage
can be done. I will keep searching and see what I find.

Thanks again

More information about the Fedora-directory-users mailing list