--On Tuesday, March 3, 2020 3:04 PM +0100 Geert Hendrickx <[email protected]> wrote:
However some connections log no BIND operation at all, just SRCH ops etc. I cannot replicate this behaviour with ldapsearch, it comes from an old java client.
This can be replicated in Perl pretty easily: #!/usr/bin/perl use Net::LDAP; my $uri="ldap://SOMEHOST:389/";; my $ldap = Net::LDAP->new($uri) or die "$@"; $mesg = $ldap ->search( base=>"dc=example,dc=com", filter=>"(objectClass=*)", scope=>"sub", attrs => ['1.1'], ); foreach my $entry ($mesg->entries) { print $entry->dn."\n"; }
So looking for 'BIND dn=""' is not enough - how can I reliably identify anonymous binds? Looking for each op=0 and if it's not a SRCH, assume it's an anonymous bind as well?
I think you mean, look for each op=0, and IF it's a SRCH op, assume it is an anonymous bind as well. I.e., this is what I get with the perl script:
conn=1001 op=0 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(objectClass=*)"
We have no "features" like bind_v2, bind_anon_cred etc enabled. Second question is what is the proper way to disable anonymous access? Through access controls (which we already have in place for fine-grained write access control), or on server-wide level by 'disallow bind_anon' ?
Well, the man page says that disallow bind_anon doesn't prevent anonymous directory access (which is what you see with the perl script and Java program). From the man page:
bind_anon disables acceptance of anonymous bind requests. Note that this setting does not prohibit anonymous directory access (See "require authc").
If you look at the "require" keyword, we have: authc requires authentication prior to directory operations. So probably the best way to do this would be to have both: disallow bind_anon require authc Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
