[Date Prev][Date Next] [Chronological] [Thread] [Top]

Security and bind_anonymous_dn

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: Security and bind_anonymous_dn
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Tue, 23 Mar 2004 20:10:40 +0100
Organization: Billy

List,

Openldap 2.2.6, BDB 4.2.52 on RedHat's RHEL3.

All the files lying around on my harddisk with my proxy admin password
made me unhappy. Examples are /etc/ldap.secret, Postfix 2.0.18 snaphot's
many /etc/postfix/maps/ldap/mumble.cf's,
/usr/lib/courier-imap/etc/authldaprc, /usr/lib/sasl2/smtpd.conf and I'm
sure there are more, only I can't remember where they are :(

Someone on "another list" pointed out slapd's 'allow anonymous_bind_dn'.
Sure enough, with 'allow anonymous_bind_dn' I can get rid of the proxy
admin password in every file but my Openldap/Postfix SASL
/usr/lib/sasl2/smtpd.conf. Only one file to remember.

Can anyone point out any obvious security-based (or other) reason for
not allowing bind_anonymous_dn in slapd.conf? If not, why isn't it
standard?

Best,

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl
-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

Follow-Ups:
- RE: Security and bind_anonymous_dn
  - From: "Howard Chu" <hyc@highlandsun.com>
- syslog and slapd
  - From: Chris Majewski <majewski@cs.ubc.ca>

Prev by Date: Unexpected Shutdown
Next by Date: Confused 'bout diff. between SHA and SSHA
Index(es):
- Chronological
- Thread