Re: anonymous binds

Michael Starling <mlstarling31@xxxxxxxxxxx> · Thu, 21 Oct 2021 13:57:20 +0000

From: Mark Reynolds <mreynolds@xxxxxxxxxx>

Sent: Thursday, October 21, 2021 9:36 AM

To: Michael Starling <mlstarling31@xxxxxxxxxxx>; General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>

Subject: Re: [389-users] anonymous binds

On 10/21/21 9:26 AM, Michael Starling wrote:

From: Mark Reynolds
<mreynolds@xxxxxxxxxx>

Sent: Tuesday, October 19, 2021 3:47 PM

To: General discussion list for the 389 Directory server project. 
<389-users@xxxxxxxxxxxxxxxxxxxxxxx>; Michael Starling 
<mlstarling31@xxxxxxxxxxx>

Subject: Re: [389-users] anonymous binds

On 10/19/21 1:43 PM, Michael Starling wrote:

Good afternoon.

I have a few questions about anon binds.

In theory if you have 3000 user objects in the directory and anonymous binds have a limit returning 2000 entries can you still use anonymous binds in LDAP client configurations without issues?

So you have a "resource limit" setup for "anonymous binds" which sets the sizelimit to 2000?  If that is the case then your client will hit this "2000" entry sizelimit - if it does an anonymous bind to the server. 
 If it provides credentials then it will not be restricted by the configured anonymous resource limits.

Or does something else take place when a user logs in that only requires the LDAP clients (sssd or nscld) to parse that specific user dn and attributes? 

I'm not that familiar with sssd or nscld enough to say, but I'm pretty sure they can be configured to use a specific bind dn and password.

Typically, with OpenLDAP I have created a "bind" user that can read all user/group objects with limited attributes and turned off anon binds so I don't fully understand the behavior of anonymous binds.

In our server you can create users that have aci's that grant them specific access as well.  Anonymous access can also be disabled in our server.

To recap what an anonymous bind is, it is when a client connects to the server but does not provide any credentials.  The behavior of such connections/operations will depend on what aci's and resource limits you
 have configured.
I don't think this is what you are asking about though, so can you please clarify your questions?

Thanks,
Mark

Hi Mark.

Essentially, I'm asking anon binds have a search limit of 2000 objects and you have 3000 user objects is it possible that you will have problems with user's logging into to Linux clients?

It depends on how the client is performing the authentication.  If it's searching for a single user, then you will be fine.  Since this is a "size limit" that means it will not "send" more than 2000 entries back to the client.  However, size limit does
not impact how far into the database a search can go.

In this scenario user A uses ssh to login to a Linux client using sssd as an authentication mechanism. Is sssd we are not specifying a bind dn to handle the lookups to 389.

When user A initiates the connection to the client, sssd does the anon lookup but hits the 2000 limit. If there are 3000 user entries, is it possible that user A is unable to make a connection because this user
 potentially is object 2001 and thus the information necessary to be returned by 389 to the client fails?

If you know SSSD is hitting the sizelimit then yes it is absolutely possible that it will not find the entry and cause authentication to unexpectedly fail.

Is it a better practice with 389 to create a bind dn with no search limit to avoid the scenario above? I understand I can bump the anon bind limits but I think eventually I may just convince them to turn anon
 binds off completely. For now, i just want to understand the effects of the current implementation.

Ideally you should create a "bind user" that has the correct access you need.  Opening up anonymous access is not ideal or recommended.

Regards,

Mark

Thank you.

Mike

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

-- 
Directory Server Development Team

-- 
Directory Server Development Team

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure