[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Anonymous bind allowed when configured not to.

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: Anonymous bind allowed when configured not to.
From: Kyle Smith <alacer.cogitatus@gmail.com>
Date: Thu, 24 May 2012 12:15:32 -0400
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:from:in-reply-to:mime-version:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=rSRpM1LFefl2eSPfCj1cOnSeQB/iL8tynPn0wbJKGls=; b=B66q1aGJyUtSC9uz5EVTr2RkW9WriDbOO3KqcrSuBJoObjv5xBeRRjaeaijLta5hIt Pdneh5rAlR1tJnLbfECAJnXsNod5szscPrZ8KYnDkbdFsALYrWeomyEgNx6gkPe4royZ iWXkPPKjjJN7+nPGIrOfCvBKjQXg3leUybKEn7+VkYdZtBMFO1ddbmD5fZZADCxrZPfE yA8IpmCC2RizjaFa8RoPLmuID/skk1iQEI0SA08x0OB80RlamNwmZmVdr/s8oOAvG7pV 8nl9IQjmNkj71HcKxUAk0mQxZ5lAq7fFVr21kGzpTUuc1dBovCEWDYagyrGhlqcaAW0x Ryqg==
In-reply-to: <2962C622965C1A9BED6B9F19@quanah-mac.local>
References: <CAA+mWJxYxM2VXdM-hv8kkA-txB2nrUipE37Wf4KBRkH1qHZ04g@mail.gmail.com> <2962C622965C1A9BED6B9F19@quanah-mac.local>

>From the debugs I did, it looks like jxplorer makes the connection,
but never sends a bind command. It goes straight to the search
command. So while anonymous bind is disabled, require bind was not on.
I set the require bind directive and now acts as necessary. Would it
be a wise change to implicitly include require bind when disallow
anon_bind is set?



On May 24, 2012, at 11:59 AM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:

>
>
> --On May 24, 2012 9:41:48 AM -0400 Kyle Smith <alacer.cogitatus@gmail.com> wrote:
>
>> Good Morning,
>>
>> I was recently made aware of a problem with my OpenLDAP 2.4.26 and
>> 2.4.28 servers.
>>
>> I have configured each server to disallow anony using the below directive.
>>
>> ### Disable anony
>> disallow bind_anon
>>
>> This works great for Softerra Ldap Administrator, and the ldapsearch
>> command (linux).
>>
>> $ ldapsearch -x -H ldaps://openldap.example.com -b
>> "ou=peoples,dc=example,dc=com" "(uid=someuser)"
>> ldap_bind: Inappropriate authentication (48)
>>        additional info: anonymous bind disallowed
>>
>> However, when I use Jxplorer (http://jxplorer.org/) it not only allows
>> the bind, but allows the search. Right now the ACL is set for "by
>> anonymous read", but shouldn't the disallow directive even prevent the
>> connection?
>
> How can it disallow a connection when there is no way to know if a connection is anonymous or not until after it is made?  And it doesn't sound to me like the JXplorer connection is anonymous.  The server doesn't treat different kinds of clients in different ways.  It could be jxplorer is ignoring the result, which would then mean its search query would do nothing either.
>
> --Quanah
>
>
> --
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration
>

References:
- Anonymous bind allowed when configured not to.
  - From: Kyle Smith <alacer.cogitatus@gmail.com>
- Re: Anonymous bind allowed when configured not to.
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: slapd wont replicate olcSpReloadHint attribute
Next by Date: Re: slapd wont replicate olcSpReloadHint attribute
Index(es):
- Chronological
- Thread