Dave Coyle [contractor] wrote:
The Wishlist page [ http://directory.fedora.redhat.com/wiki/Wishlist ] lists
'option to disable anonymous binds' as a desired feature, but one can
already do this via ACIs, e.g.:
aci: (targetattr="*")(version 3.0; acl "deny anonymous access by default";
deny (all) userdn="ldap:///anyone";;)
Would this provide what was desired, or is there more to the feature
request?
There is a lot more to this feature request.
Note that "anonymous bind" and "anonymous access" are two different things.
An LDAP server has 3 external interfaces:
- authentication
- data access
- replication
The authentication interface is not controlled by access controls, but
it is controlled by password policies (time of day, from which IP, max
password failures, etc) if they are enabled. The authentication
interface is often used by itself, with no data access requests sent to
the server, when applications only authenticate users via LDAP.
To use the data access interface, you must first bind via the
authentication interface. The bind is either anonymous, or as a user in
the directory. Depending on the access controls, you may or may not be
able to read any data.
The reason why it is desirable to be able to disable anonymous binds is
that (poorly coded) applications which only authenticate users from LDAP
will authenticate a user to the application, even if the user gives a
blank username and password. To the LDAP server, when you don't give a
username and password, you are binding anonymously, and the server will
always return SUCCESS to the authentication handler. You can always bind
anonymously to an LDAP server.
Well coded applications should trap these empty strings before sending
the bind, and substitute the empty strings with random text, etc, so
that an anonymous bind will not be sent and the credentials which are
sent will cause the bind to fail.
Mike
--
LDAP Directory Consulting - http://www.netauth.com
