We have just migrated from openldap to fedora, and have realized with horror that some authentication clients (for example CAS) are giving the OK to users who submit un empty password string. We have been going slowly mad trying to find how to block this in the configuration. We previously allowed anonymous binds, but since discovering the problem we have disallowed them .. but this does NOT solve the problem. In a nutshell, this is what happens : % ldapbind -h fedora_ds_server.utc.fr -p 389 -D "uid=someuser,ou=people,dc=utc,dc=fr" -w "" bind successful % ldapbind -h openldap_server.utc.fr -p 389 -D "uid=someuser,ou=people,dc=utc,dc=fr" -w "" ldap_bind: DSA is unwilling to perform ldap_bind: additional info: unauthenticated bind (DN with no password) disallowed Could anyone tell us how to get fedora to behave like openldap in this respect ? There's a lot of stuff on the web about blocking "unauthenticated binds" in openldap, but hardly anything regarding other directory servers. Any useful tips would be gratefully received. David David Lewis system administrator University of Compiegne France
