I need to secure my LDAP server and am not quite sure the best way to go about it. I am running Debian "Lenny", and using OpenLDAP (slapd).
I notice that if I run:
ldapsearch -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' 'objectclass=*'
and just press ENTER when it prompts for a password, that I get a list of directory entries. Anonymous access is not acceptable if I am opening this up to the internet, but cannot find a way to disable anonymous access.
I have tried modifying /etc/ldap/slapd.conf
to the following:
access to * by dn="cn=admin,dc=example,dc=com" write by * none
… but that doesn't do the trick.
After this, I will get it running over TLS, but it is pointless doing that step while still allowing anonymous access.
Any ideas?
Best Answer
To completely disable anonymous bind, add this line to slapd.conf:
and restart the slapd service.