[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Security and bind_anonymous_dn
tir, 23.03.2004 kl. 21.14 skrev Howard Chu:
> > Can anyone point out any obvious security-based (or other) reason for
> > not allowing bind_anonymous_dn in slapd.conf? If not, why isn't it
> > standard?
>
> There's no problem with it if your server allows anonymous access to perform
> all the operations those various packages need. But then you could just bind
> anonymously with no DN at all and do away with the proxy user entirely.
I've removed the "allow bind_anonymous_dn" and rationalized the whole thing.
Only where there's no obvious entity binding do I now give a user and a
password.
> The reason anonymous_bind_dn is no longer enabled by default is that it
> doesn't actually authenticate anything.
Understood.
> Many LDAP authentication clients out
> there perform an LDAP Simple Bind and assume if it succeeds that the user is
> authenticated, without performing any further verification. When you use
> anonymous_bind_dn, then any LDAP Simple Bind request with any DN and no
> password automatically returns Success, even though the session remains
> anonymous/unprivileged. The client would see Success and then allow the user
> access to whatever resource was being guarded (PAM->Unix host, maybe a web
> server, whatever...)
Thanks for clearing that up, after all that time.
--Tonni
--
mail: billy - at - billy.demon.nl
http://www.billy.demon.nl