[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Security and bind_anonymous_dn

tir, 23.03.2004 kl. 21.14 skrev Howard Chu:

> > Can anyone point out any obvious security-based (or other) reason for
> > not allowing bind_anonymous_dn in slapd.conf? If not, why isn't it
> > standard?
> There's no problem with it if your server allows anonymous access to perform
> all the operations those various packages need. But then you could just bind
> anonymously with no DN at all and do away with the proxy user entirely.

I've removed the "allow bind_anonymous_dn" and rationalized the whole thing.
Only where there's no obvious entity binding do I now give a user and a

> The reason anonymous_bind_dn is no longer enabled by default is that it
> doesn't actually authenticate anything.


>  Many LDAP authentication clients out
> there perform an LDAP Simple Bind and assume if it succeeds that the user is
> authenticated, without performing any further verification. When you use
> anonymous_bind_dn, then any LDAP Simple Bind request with any DN and no
> password automatically returns Success, even though the session remains
> anonymous/unprivileged. The client would see Success and then allow the user
> access to whatever resource was being guarded (PAM->Unix host, maybe a web
> server, whatever...)

Thanks for clearing that up, after all that time.



mail: billy - at - billy.demon.nl