[Date Prev][Date Next] [Chronological] [Thread] [Top]

Anonymous bind allowed when configured not to.

To: openldap-technical@openldap.org
Subject: Anonymous bind allowed when configured not to.
From: Kyle Smith <alacer.cogitatus@gmail.com>
Date: Thu, 24 May 2012 09:41:48 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=h4IUkT3HfDlm38TXol4Vf2v4IdNa2aic1EBBs5hwXpc=; b=nRysjP3fpaPSrufiy7S2YrJNJmQjU9gLa5d0QFlYVM0MdfM/9pV4+GV3cKpn01cWM8 V5dD1TGmOcSaGgONo8tyIyQeoQ6iNSF1OwzM/ZjAaDyhDnptpD2WNwuvikGAwOjZNfCW 1RyyWJ9RgVv5VwEhJ7wokjRWhSNRoDZidPqjqoZ/GswJZAXaVJsahGE7TkoRLWptDMhU fCoGkmp6TPSyMhbxEgZDDCLgZeB8BYAztVxxJCaWe9Wqf/9yQopToPB+/d5TwNgNtGq5 DSrOX5a6XPGUbwGzWR0xeYFcVF5Br0XaDGB5Q0OmS5nmNUZoeNnyWrJl9t+9cU5w36ee we2A==

Good Morning,

I was recently made aware of a problem with my OpenLDAP 2.4.26 and
2.4.28 servers.

I have configured each server to disallow anony using the below directive.

### Disable anony
disallow bind_anon

This works great for Softerra Ldap Administrator, and the ldapsearch
command (linux).

$ ldapsearch -x -H ldaps://openldap.example.com -b
"ou=peoples,dc=example,dc=com" "(uid=someuser)"
ldap_bind: Inappropriate authentication (48)
        additional info: anonymous bind disallowed

However, when I use Jxplorer (http://jxplorer.org/) it not only allows
the bind, but allows the search. Right now the ACL is set for "by
anonymous read", but shouldn't the disallow directive even prevent the
connection?

I'm working on getting some debug logs, but if any one has experienced
this, please let me know. Thanks.

Kyle Smith

Follow-Ups:
- Re: Anonymous bind allowed when configured not to.
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: dn.exact vs dn.base
Next by Date: Re: Issue upgrading openldap-clients from 2.4.19-15 to 2.4.23-20
Index(es):
- Chronological
- Thread