[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Anonymous bind allowed when configured not to.





--On May 24, 2012 9:41:48 AM -0400 Kyle Smith <alacer.cogitatus@gmail.com> wrote:

Good Morning,

I was recently made aware of a problem with my OpenLDAP 2.4.26 and
2.4.28 servers.

I have configured each server to disallow anony using the below directive.

### Disable anony
disallow bind_anon

This works great for Softerra Ldap Administrator, and the ldapsearch
command (linux).

$ ldapsearch -x -H ldaps://openldap.example.com -b
"ou=peoples,dc=example,dc=com" "(uid=someuser)"
ldap_bind: Inappropriate authentication (48)
        additional info: anonymous bind disallowed

However, when I use Jxplorer (http://jxplorer.org/) it not only allows
the bind, but allows the search. Right now the ACL is set for "by
anonymous read", but shouldn't the disallow directive even prevent the
connection?

How can it disallow a connection when there is no way to know if a connection is anonymous or not until after it is made? And it doesn't sound to me like the JXplorer connection is anonymous. The server doesn't treat different kinds of clients in different ways. It could be jxplorer is ignoring the result, which would then mean its search query would do nothing either.

--Quanah


--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration