How to disable anonymous read on OpenLDAP using cn=config

Question

I am a newbie with openldap 2.4 and I need to restrict read access to anonymous. Actually, if someone write ldapsearch -x -H ldap://myipaddrr he can see all entries of my HDB database.

How can I solve this using cn=config (dynamic configuration). By default there is a lot of olcAccess setup...

thank you

Of course I have read the manual twice but the offical document is too complicated... — Cyrill Gremaud, Jan 27 '15 at 15:22
Maybe there is some similar question on serverfault http://serverfault.com/questions/325912/disallow-global-anonymous-bind-with-cn-config — NoNoNo, Jan 27 '15 at 15:27

score 0 · Answer 1 · edited Feb 28 '15 at 01:29

I have found a solution.

dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

Now, when someone try to read data with ldapsearch -x -H ldap://myipaddrr , he can't and receive this error message:

ldap_bind: Inappropriate authentication (48)
    additional info: anonymous bind disallowed

How to disable anonymous read on OpenLDAP using cn=config

1 Answers1