Wednesday 13 January 2016

Disable Anonymous Binds in IPA v3 (and enable them again)

I was not entirely happy with the documentation for this here: 
While correct, It gives me no idea how to check the current configuration or how to turn anonymous binds back on again, or how to test my changes

Here is my approach:

Check the current config with this ldap query (there may be room for optimising this)
ldapsearch -x -u -h ipa.server -b cn=config "(cn=config)" nsslapd-allow-anonymous-access -W -D "cn=Directory Manager" 

That should yield:
...
nsslapd-allow-anonymous-access: on

or
...
nsslapd-allow-anonymous-access: rootdse

I then created two simple ldifs to enable and disable anonymous binds

disable-anonymous-binds.ldif
# disable-anonymous-binds.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse

enable-anonymous-binds.ldif
# enable-anonymous-binds.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: on 

Either of which can be run with
ldapmodify -x -D "cn=Directory Manager" -W -h ipa.server enable|disable-anonymous-binds.ldif
Subscribe to: Posts (Atom)