Hi
I'd like to inventorise (and eventually disable) anynomous binds on an LDAP server with many different client applications. I am evaluating stats logs, and I see that most anonymous binds are logged as:
conn=32743 op=0 BIND dn="" method=128 conn=32743 op=0 RESULT tag=97 err=0 text=
However some connections log no BIND operation at all, just SRCH ops etc. I cannot replicate this behaviour with ldapsearch, it comes from an old java client.
So looking for 'BIND dn=""' is not enough - how can I reliably identify anonymous binds? Looking for each op=0 and if it's not a SRCH, assume it's an anonymous bind as well?
We have no "features" like bind_v2, bind_anon_cred etc enabled.
Second question is what is the proper way to disable anonymous access? Through access controls (which we already have in place for fine-grained write access control), or on server-wide level by 'disallow bind_anon' ?
Thanks
Geert