We have just migrated from openldap to fedora, and have realized with
horror that some authentication clients (for example CAS) are giving the
OK to users who submit un empty password string.
We have been going slowly mad trying to find how to block this in the
configuration.
We previously allowed anonymous binds, but since discovering the problem
we have disallowed them .. but this does NOT solve the problem.
In a nutshell, this is what happens :
% ldapbind -h fedora_ds_server.utc.fr -p 389 -D
"uid=someuser,ou=people,dc=utc,dc=fr" -w ""
bind successful
% ldapbind -h openldap_server.utc.fr -p 389 -D
"uid=someuser,ou=people,dc=utc,dc=fr" -w ""
ldap_bind: DSA is unwilling to perform
ldap_bind: additional info: unauthenticated bind (DN with no password)
disallowed
Could anyone tell us how to get fedora to behave like openldap in this
respect ? There's a lot of stuff on the web about blocking
"unauthenticated binds" in openldap, but hardly anything regarding other
directory servers.
Any useful tips would be gratefully received.
David
David Lewis
system administrator
University of Compiegne
France
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
