>From the debugs I did, it looks like jxplorer makes the connection, but never sends a bind command. It goes straight to the search command. So while anonymous bind is disabled, require bind was not on. I set the require bind directive and now acts as necessary. Would it be a wise change to implicitly include require bind when disallow anon_bind is set?
On May 24, 2012, at 11:59 AM, Quanah Gibson-Mount <[email protected]> wrote: > > > --On May 24, 2012 9:41:48 AM -0400 Kyle Smith <[email protected]> > wrote: > >> Good Morning, >> >> I was recently made aware of a problem with my OpenLDAP 2.4.26 and >> 2.4.28 servers. >> >> I have configured each server to disallow anony using the below directive. >> >> ### Disable anony >> disallow bind_anon >> >> This works great for Softerra Ldap Administrator, and the ldapsearch >> command (linux). >> >> $ ldapsearch -x -H ldaps://openldap.example.com -b >> "ou=peoples,dc=example,dc=com" "(uid=someuser)" >> ldap_bind: Inappropriate authentication (48) >> additional info: anonymous bind disallowed >> >> However, when I use Jxplorer (http://jxplorer.org/) it not only allows >> the bind, but allows the search. Right now the ACL is set for "by >> anonymous read", but shouldn't the disallow directive even prevent the >> connection? > > How can it disallow a connection when there is no way to know if a connection > is anonymous or not until after it is made? And it doesn't sound to me like > the JXplorer connection is anonymous. The server doesn't treat different > kinds of clients in different ways. It could be jxplorer is ignoring the > result, which would then mean its search query would do nothing either. > > --Quanah > > > -- > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >
