Debian – How to disable anonymous access on LDAP

debianldapopenldapSecurity

I need to secure my LDAP server and am not quite sure the best way to go about it. I am running Debian "Lenny", and using OpenLDAP (slapd).

I notice that if I run:

ldapsearch -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' 'objectclass=*'

and just press ENTER when it prompts for a password, that I get a list of directory entries. Anonymous access is not acceptable if I am opening this up to the internet, but cannot find a way to disable anonymous access.

I have tried modifying /etc/ldap/slapd.conf to the following:

access to *
    by dn="cn=admin,dc=example,dc=com" write
    by * none

… but that doesn't do the trick.

After this, I will get it running over TLS, but it is pointless doing that step while still allowing anonymous access.

Any ideas?

Best Answer

To completely disable anonymous bind, add this line to slapd.conf:

disallow bind_anon

and restart the slapd service.

Related Solutions

Debian – OpenLDAP with ldaps support on Debian Lenny

The cipher names between Openssl and GnuTLS are not the same.

Example GnuTLS cipher:

slapd.conf:
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA

To get a list of GnuTLS cipher names:

$ gnutls-cli -l

And make sure that the "cert" files are readable and owned by the openldap user. You could also add the openldap user to the ssl-cert group.

Ldap – Securing userPassword access with OpenLDAP in RHEL

pam_ldap shouldn't be attempting to read the userPassword value to log you in -- It logs you in by doing an LDAP bind with the DN that it retrieves.

It's possible the search parameters pam_ldap uses are over-broad & it tries to pull userPassword as a result, but if your ACL is set up correctly (looks fine to me) it won't get that value in its results.

Just in case your ACLs aren't fine (I've been known to miss stupidly obvious stuff before), here's the working ACL list from my production LDAP environment :)

# Access and Security Restrictions
# (Most restrictive entries first)
access to attrs=userPassword
    by self write
    by dn.sub="ou=sync,dc=mydomain,dc=com" read
    by anonymous auth
by users none

access to * by * read

The trailing access to * by * read is important, I didn't see it in your examples so I'm not sure if it's missing or just omitted from your snippet.

The sync line is for my LDAP synchronization service and isn't necessary if you're not doing replication...

Best Answer

Related Solutions

Debian – OpenLDAP with ldaps support on Debian Lenny

Ldap – Securing userPassword access with OpenLDAP in RHEL

Related Topic