[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Security and bind_anonymous_dn

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: RE: Security and bind_anonymous_dn
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Tue, 23 Mar 2004 23:52:08 +0100
In-reply-to: <00bb01c41113$8564c0c0$1801a8c0@CELLO>
Organization: Billy
References: <00bb01c41113$8564c0c0$1801a8c0@CELLO>

tir, 23.03.2004 kl. 21.14 skrev Howard Chu:

> > Can anyone point out any obvious security-based (or other) reason for
> > not allowing bind_anonymous_dn in slapd.conf? If not, why isn't it
> > standard?
> 
> There's no problem with it if your server allows anonymous access to perform
> all the operations those various packages need. But then you could just bind
> anonymously with no DN at all and do away with the proxy user entirely.

I've removed the "allow bind_anonymous_dn" and rationalized the whole thing.
Only where there's no obvious entity binding do I now give a user and a
password.

> The reason anonymous_bind_dn is no longer enabled by default is that it
> doesn't actually authenticate anything.

Understood.

>  Many LDAP authentication clients out
> there perform an LDAP Simple Bind and assume if it succeeds that the user is
> authenticated, without performing any further verification. When you use
> anonymous_bind_dn, then any LDAP Simple Bind request with any DN and no
> password automatically returns Success, even though the session remains
> anonymous/unprivileged. The client would see Success and then allow the user
> access to whatever resource was being guarded (PAM->Unix host, maybe a web
> server, whatever...)

Thanks for clearing that up, after all that time.

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

References:
- RE: Security and bind_anonymous_dn
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: How to confirm --enable-local
Next by Date: SASL/GSSAPI not working
Index(es):
- Chronological
- Thread