Hi all,

I have seen the documentation on how to disable anonymous access
*completely* at

However, I think that those base rootdse queries are probably important. I
originally thought they only happened when running "ipa-client-install" but
some quick tailing of the access log indicates to me that they happen a lot.

So, instead of flipping the big switch in cn=config, has anyone considered
just removing anonymous access to the *directory* data like:

# Remove Anonymous Access to main directory
dn: dc=example,dc=com
changetype: modify
delete: aci
aci: (target != "ldap:///idnsname=*,cn=dns,dc=example,dc=com";)(targetatt
 r != "userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword |
 | passwordHistory || krbMKey || userPKCS12 || ipaNTHash ||
 oing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous
 allow (read, search, compare) userdn = "ldap:///anyone";;)

Would that work without breaking things? Do we have any information on what
"broken" systems require anonymous LDAP binds and which ones do not?

Thanks in advance,
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to