--On Tuesday, March 3, 2020 3:04 PM +0100 Geert Hendrickx geert@hendrickx.be wrote:
However some connections log no BIND operation at all, just SRCH ops etc. I cannot replicate this behaviour with ldapsearch, it comes from an old java client.
This can be replicated in Perl pretty easily:
#!/usr/bin/perl use Net::LDAP;
my $uri="ldap://SOMEHOST:389/"; my $ldap = Net::LDAP->new($uri) or die "$@";
$mesg = $ldap ->search( base=>"dc=example,dc=com", filter=>"(objectClass=*)", scope=>"sub", attrs => ['1.1'], );
foreach my $entry ($mesg->entries) { print $entry->dn."\n"; }
So looking for 'BIND dn=""' is not enough - how can I reliably identify anonymous binds? Looking for each op=0 and if it's not a SRCH, assume it's an anonymous bind as well?
I think you mean, look for each op=0, and IF it's a SRCH op, assume it is an anonymous bind as well. I.e., this is what I get with the perl script:
conn=1001 op=0 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(objectClass=*)"
We have no "features" like bind_v2, bind_anon_cred etc enabled.
Second question is what is the proper way to disable anonymous access? Through access controls (which we already have in place for fine-grained write access control), or on server-wide level by 'disallow bind_anon' ?
Well, the man page says that disallow bind_anon doesn't prevent anonymous directory access (which is what you see with the perl script and Java program). From the man page:
bind_anon disables acceptance of anonymous bind requests. Note that this setting does not prohibit anonymous directory access (See "require authc").
If you look at the "require" keyword, we have:
authc requires authentication prior to directory operations.
So probably the best way to do this would be to have both:
disallow bind_anon require authc
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com