[Freeipa-users] Disabling Anonymous Binds (LDAP)
Brian Candler
b.candler at pobox.com
Thu Nov 17 12:00:07 UTC 2016
On 16/11/2016 16:46, Dan.Finkelstein at high5games.com wrote:
> I've seen some discussion in the (distant) past about disabling
> anonymous binds to the LDAP component of IPA, and I'm wondering if
> there's a preferred method to do it. Further, are there any known
> problems with disabling anonymous binds when using FreeIPA? The only
> modern documentation I can find is here:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/disabling-anon-binds.html,
> and I'm curious if FreeIPA has a different way.
FWIW, I see the same here. Installed ipa-server under CentOS 7 (which
gave me freeipa 4.2.0), and found anonymous binds allowed: tested by
"ldapsearch -x ..."
I was able to disable anonymous bind (and also disable unencrypted
queries) by changing the cn=config entry:
|dn: cn=config|
|changetype: modify|
|replace: nsslapd-allow-anonymous-access|
|nsslapd-allow-anonymous-access: rootdse|
|-|
|replace: nsslapd-minssf|
|nsslapd-minssf: 56|
I don't think this replicated from master to slave though, and I ended
up doing it on slaves as well.
If there is an "official" way to disable anon bind on FreeIPA 4.x, I
would like to know it.
Thanks,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/e0eba12b/attachment.htm>
More information about the Freeipa-users
mailing list