[389-users] Turn off anonymous bind
Marc Sauton
msauton at redhat.com
Thu Nov 10 19:00:34 UTC 2011
so we should have under cn=config
nsslapd-allow-anonymous-access: off
nsslapd-allow-unauthenticated-binds: off
( see
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/configuring-special-binds.html
)
Review the ns-slapd error log, may be it is falling back to anonymous
for some reason.
Try a getent passwd from that client to see if it is working as
expected, and try to manually run a ldapsearch, binding as the binddn
with bindpw specified in in the nss_ldap config file, for a given user,
and then another search specifying the ntlmpassword attribute for a
given user.
If not working, review the ACI for ntlmpassword in that suffix.
M.
On 11/10/2011 09:57 AM, David Hoskinson wrote:
>
> We want to restrict all queries to authenticated queries. As our
> system sits now I can anonymously query and return ntlmpassword and
> see the hash as well as most other entries. We would like this to not
> be the case, and requires directory manager and pass or a similar
> approved user to do ldap queries.
>
> I have set nslapd-allow-anonymous-access to off in advanced
> properties for config, and added the binddn string and bindpw string
> to /etc/ldap.conf on the 389 server machine. When I try to log back
> in, I get password authentication failed, please verify that the
> username and password are correct. If I turn the setting back to on,
> it works again.
>
> Am I missing something... or is this not the correct method to achieve
> my goal.
>
> Thanks.
>
> David Hoskinson | *DATATRAK*International
> Systems Engineer
> Mayfield Heights, Ohio, USA
> +1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
> david.hoskinson at datatrak.net <mailto:david.hoskinson at datatrak.net> |
> www.datatrak.net <http://www.datatrak.net/>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20111110/0e2c6b7b/attachment.html>
More information about the 389-users
mailing list