nattapon viroonsri
2006-Nov-10 10:27 UTC
[Fedora-directory-users] disable bind with blank password
Hi, Look like default fedora-ds policy is accept bind with blank password? i have tested with ldapsearch -x -D "uid=someone,ou=people,dc=example,dc=com" -w "" get same result as use correct password if i use wrong password i wil get ldap_bind: Invalid credentials (49) How can i disable bind with blank password ? Thanks Nattapon _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it''s FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Radek Hladik
2006-Nov-10 12:31 UTC
Re: [Fedora-directory-users] disable bind with blank password
nattapon viroonsri napsal(a):> Hi, > > Look like default fedora-ds policy is accept bind with blank password? > i have tested with > ldapsearch -x -D "uid=someone,ou=people,dc=example,dc=com" -w "" > get same result as use correct password > > if i use wrong password i wil get > ldap_bind: Invalid credentials (49) > > How can i disable bind with blank password ? > > Thanks > Nattapon > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today it''s FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-usersI''m not FDS expert but as I have noticed FDS will log you anonymously if you enter no password... Try to do some changes in FDS without password (i.e. change office number of user you have specified to bind). If you don''t want this, you need to disable access for anonymous users. Feature to disable anonymous binding at all is in plan for future versions. In actual version all you need/can to do, is disable ACI for anonymous access. But be sure, that no other utility uses anonymous access to LDAP as i.e. pam and nss does in default. Radek
Richard Megginson
2006-Nov-10 14:24 UTC
Re: [Fedora-directory-users] disable bind with blank password
Radek Hladik wrote:> nattapon viroonsri napsal(a): >> Hi, >> >> Look like default fedora-ds policy is accept bind with blank password? >> i have tested with >> ldapsearch -x -D "uid=someone,ou=people,dc=example,dc=com" -w "" >> get same result as use correct password >> >> if i use wrong password i wil get >> ldap_bind: Invalid credentials (49) >> >> How can i disable bind with blank password ? >> >> Thanks >> Nattapon >> >> _________________________________________________________________ >> Express yourself instantly with MSN Messenger! Download today it''s >> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > I''m not FDS expert but as I have noticed FDS will log you anonymously > if you enter no password... Try to do some changes in FDS without > password (i.e. change office number of user you have specified to bind).Note that this is LDAP standard behavior - BIND with empty password does an anonymous bind, even if a BIND DN was given.> If you don''t want this, you need to disable access for anonymous users.Access control uses the special BIND subject ldap:///anyone to mean anonymous users.> Feature to disable anonymous binding at all is in plan for future > versions. In actual version all you need/can to do, is disable ACI for > anonymous access. But be sure, that no other utility uses anonymous > access to LDAP as i.e. pam and nss does in default.Yes, we will be adding some features to disallow anonymous binds to an upcoming version.> > Radek > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users