Disable anonymous bind for OpenLDAP in Centos7

September 28, 2022

Join our Newsletter

Subscribe to get beginner friendly DevOps Guide.
    We won't send you spam. Unsubscribe at any time.

    LDAP bind is a process which the client tries to authenticate themselves to the server. Depends on the server set up, such bind request sent from client may contain no credentials (i.e. anonymous bind).

    In this guide, I will share how to configure the LDAP bind feature.

    Concept

    Before diving into the configuration, it's better to know the types of LDAP bind.

    Anonymous bind

    Anonymous bind is that you present no distinguished name (you may treat it as an account name) and password in the bind request, the LDAP server will treat you as an anonymous. Usually, we will combine it with LDAP Access Control (ACL) to prevent anonymous from knowing some sensitive data if you decide to open part of the LDAP data to the public. Anonymous bind

    Unauthenticated bind

    Unauthenticated bind allows you to present distinguished name and no password. By default, it's disabled, as many applications don't realize that they can still bind to LDAP server with incorrect password.

    Authenticated bind

    Authenticated bind requires the client to provide distinguished name and password. Authenticated bind

    Disable anonymous bind for OpenLDAP

    By default, you can query LDAP data as an anonymous

    ldapsearch -LLL -x -b "dc=abc,dc=local" '(uid=joe)'

    Anonymous query Now, we will disable it. Create a disable_bind_anon.ldif with below content

    dn: cn=config
    changetype: modify
    add: olcDisallows
    olcDisallows: bind_anon

    Apply the configuration

    sudo ldapadd -Y EXTERNAL -H ldapi:/// -f disable_bind_anon.ldif

    If we try again, we can no longer query the user

    ldapsearch -LLL -x -b "dc=abc,dc=local" '(uid=joe)'

    Disallowed anonymous query

    Conclusion

    In this guide, we discuss what bind is, types of bind and how to disable anonymous bind

    Blog: https://joeho.xyz

    LinkedIn: https://www.linkedin.com/in/ho-cho-tai-0260758a

    Subscribe