[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Security and bind_anonymous_dn
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw
> Openldap 2.2.6, BDB 4.2.52 on RedHat's RHEL3.
>
> All the files lying around on my harddisk with my proxy admin password
> made me unhappy. Examples are /etc/ldap.secret, Postfix
> 2.0.18 snaphot's
> many /etc/postfix/maps/ldap/mumble.cf's,
> /usr/lib/courier-imap/etc/authldaprc,
> /usr/lib/sasl2/smtpd.conf and I'm
> sure there are more, only I can't remember where they are :(
>
> Someone on "another list" pointed out slapd's 'allow
> anonymous_bind_dn'.
> Sure enough, with 'allow anonymous_bind_dn' I can get rid of the proxy
> admin password in every file but my Openldap/Postfix SASL
> /usr/lib/sasl2/smtpd.conf. Only one file to remember.
>
> Can anyone point out any obvious security-based (or other) reason for
> not allowing bind_anonymous_dn in slapd.conf? If not, why isn't it
> standard?
There's no problem with it if your server allows anonymous access to perform
all the operations those various packages need. But then you could just bind
anonymously with no DN at all and do away with the proxy user entirely.
The reason anonymous_bind_dn is no longer enabled by default is that it
doesn't actually authenticate anything. Many LDAP authentication clients out
there perform an LDAP Simple Bind and assume if it succeeds that the user is
authenticated, without performing any further verification. When you use
anonymous_bind_dn, then any LDAP Simple Bind request with any DN and no
password automatically returns Success, even though the session remains
anonymous/unprivileged. The client would see Success and then allow the user
access to whatever resource was being guarded (PAM->Unix host, maybe a web
server, whatever...)
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support