Brian Candler wrote:
> On 16/11/2016 16:46, wrote:
>> I've seen some discussion in the (distant) past about disabling
>> anonymous binds to the LDAP component of IPA, and I'm wondering if
>> there's a preferred method to do it. Further, are there any known
>> problems with disabling anonymous binds when using FreeIPA? The only
>> modern documentation I can find is here:
>> and I'm curious if FreeIPA has a different way.
> FWIW, I see the same here. Installed ipa-server under CentOS 7 (which
> gave me freeipa 4.2.0), and found anonymous binds allowed: tested by
> "ldapsearch -x ..."
> I was able to disable anonymous bind (and also disable unencrypted
> queries) by changing the cn=config entry:
> |dn: cn=config|
> |changetype: modify|
> |replace: nsslapd-allow-anonymous-access|
> |nsslapd-allow-anonymous-access: rootdse|
> |-|
> |replace: nsslapd-minssf|
> |nsslapd-minssf: 56|
> I don't think this replicated from master to slave though, and I ended
> up doing it on slaves as well.
> If there is an "official" way to disable anon bind on FreeIPA 4.x, I
> would like to know it.

Modifying nsslapd-allow-anonymous-access is the official way. Attributes
in cn=config are not replicated.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to