On 16/11/2016 16:46, dan.finkelst...@high5games.com wrote:
I've seen some discussion in the (distant) past about disabling anonymous binds to the LDAP component of IPA, and I'm wondering if there's a preferred method to do it. Further, are there any known problems with disabling anonymous binds when using FreeIPA? The only modern documentation I can find is here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/disabling-anon-binds.html, and I'm curious if FreeIPA has a different way.

FWIW, I see the same here. Installed ipa-server under CentOS 7 (which gave me freeipa 4.2.0), and found anonymous binds allowed: tested by "ldapsearch -x ..."

I was able to disable anonymous bind (and also disable unencrypted queries) by changing the cn=config entry:

|dn: cn=config|
|changetype: modify|
|replace: nsslapd-allow-anonymous-access|
|nsslapd-allow-anonymous-access: rootdse|
|replace: nsslapd-minssf|
|nsslapd-minssf: 56|

I don't think this replicated from master to slave though, and I ended up doing it on slaves as well.

If there is an "official" way to disable anon bind on FreeIPA 4.x, I would like to know it.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to