Brian Candler wrote: > On 16/11/2016 16:46, dan.finkelst...@high5games.com wrote: >> I've seen some discussion in the (distant) past about disabling >> anonymous binds to the LDAP component of IPA, and I'm wondering if >> there's a preferred method to do it. Further, are there any known >> problems with disabling anonymous binds when using FreeIPA? The only >> modern documentation I can find is here: >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/disabling-anon-binds.html, >> and I'm curious if FreeIPA has a different way. > > FWIW, I see the same here. Installed ipa-server under CentOS 7 (which > gave me freeipa 4.2.0), and found anonymous binds allowed: tested by > "ldapsearch -x ..." > > I was able to disable anonymous bind (and also disable unencrypted > queries) by changing the cn=config entry: > > |dn: cn=config| > |changetype: modify| > |replace: nsslapd-allow-anonymous-access| > |nsslapd-allow-anonymous-access: rootdse| > |-| > |replace: nsslapd-minssf| > |nsslapd-minssf: 56| > > I don't think this replicated from master to slave though, and I ended > up doing it on slaves as well. > > If there is an "official" way to disable anon bind on FreeIPA 4.x, I > would like to know it.
Modifying nsslapd-allow-anonymous-access is the official way. Attributes in cn=config are not replicated. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project