Enable anonymous bind in openldap

openldap

I have setup ldap server successfully on centos 7, It works fine. However, i cannot access the server with 'anonymous' bind, which according to every google search it should be.

When I execute;

ldapsearch -x -H ldap://localhost -b dc=example,dc=com

output says;

result: 50 Insufficient access

Note: the only ACL exist is;

olcAccess: {0}to *
  by self write
  by anonymous auth
  by * none

does this prove server don't configured to support 'anonymous' bind.?
And if so, can you list out way of which how to enable 'anonymous' bind.

Best Answer

Anonymous bind is enabled, but your ACL prohibits most anonymous action via by * none. What your ACL should look like will depend on your environment and your goals. Generally speaking anonymous access means your offering a public service or haven't thought through what you're trying to accomplish.

You should familiarize yourself with OpenLDAP's Access Control Documenation.

Related Solutions

Ldap – Securing userPassword access with OpenLDAP in RHEL

pam_ldap shouldn't be attempting to read the userPassword value to log you in -- It logs you in by doing an LDAP bind with the DN that it retrieves.

It's possible the search parameters pam_ldap uses are over-broad & it tries to pull userPassword as a result, but if your ACL is set up correctly (looks fine to me) it won't get that value in its results.

Just in case your ACLs aren't fine (I've been known to miss stupidly obvious stuff before), here's the working ACL list from my production LDAP environment :)

# Access and Security Restrictions
# (Most restrictive entries first)
access to attrs=userPassword
    by self write
    by dn.sub="ou=sync,dc=mydomain,dc=com" read
    by anonymous auth
by users none

access to * by * read

The trailing access to * by * read is important, I didn't see it in your examples so I'm not sure if it's missing or just omitted from your snippet.

The sync line is for my LDAP synchronization service and isn't necessary if you're not doing replication...

Ubuntu 10.04 (Lucid) OpenLDAP invalid credentials issue

This is also a tutorial issue with Ubuntu 10.10. If you refer to

Ubuntu OpenLDAP Guide

and let's say that for now you do everything in order except for setting up replication (the section immediately before that on adding extra schemas is unnecessary at this point also), when you arrive at the section entitled Setting Up ACL it doesn't matter what password you try, you'll get ldap_bind: Invalid credentials (49)...and not because there's a password problem. It's what gmuller said.

gmuller's solution above (it's a variant of a solution posted for Karmic Koala) works for me, in exactly the same situation, on Ubuntu 10.10. I had to make the same edits in fact from what is suggested for 9.10 in that second link.

This tutorial defect is not a showstopper for some things. One can ldapadd users and groups, and do certain searches.