====== FreeIPA Config Anonymous Binds ======
**General Information**
Anonymous binds can be disabled/enabled via the following ldap modify scripts on this page.
More information from Red Hat: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/disabling-anon-binds
**Checklist**
* Distro(s): Enterprise Linux 6/7
* Other: [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA Server Installed]] (script runs there)
----
====== The Script: Disable Anon Binds ======
Disabling anonymous binds is a good security practice. LDAP enabled applications will then require a user account to retrieve LDAP information.
#!/bin/bash
# Name: config-disable-anonbinds.sh
# Description: Disable LDAP Anonymous (NULL Base) Binds
# Last Updated: 2017-09-05
# Recent Changes:-Initial release
###############################################################################################
##### Customize These Variables #####
# LDAP Connection Settings
dmPass=directorymanagerpasswordhere
ldapHost=ldapserverhere.yourdomain.org
ldapUser='directory manager'
##### End of Customize Variables #####
#==================
# Main Starts Here
#==================
echo -e "================================================================================="
echo -e "####============ IPA: Disable LDAP Anonymous Binds (NULL BASE) =============####"
echo -e "================================================================================="
echo
echo -e "This script will disable LDAP Anonymous Binds. Service restart required after.\n"
echo -e "=>Continue?[y/n]:\c"
read run_script
if [[ ${run_script} != "y" ]]; then
echo -e "\n>>Will not run the script. Exiting..."
exit 1
fi
## LDAP Modify ##
echo -e "\n>> Disabling LDAP Anonymous binds ..."
ldapmodify -D "cn=${ldapUser}" -w ${dmPass} -p 389 -h ${ldapHost} -x <<-END
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
END
----
====== The Script: Enable Anon Binds ======
If you need to go back to anonymous binds, this is how.
#!/bin/bash
# Name: config-enable-anonbinds.sh
# Description: Enable LDAP Anonymous (NULL Base) Binds
# Last Updated: 2017-09-05
# Recent Changes:-Initial release
###############################################################################################
##### Customize These Variables #####
# LDAP Connection Settings
dmPass=directorymanagerpasswordhere
ldapHost=ldapserverhere.yourdomain.org
ldapUser='directory manager'
##### End of Customize Variables #####
#==================
# Main Starts Here
#==================
echo -e "================================================================================="
echo -e "####============ IPA: Enable LDAP Anonymous Binds (NULL BASE) =============####"
echo -e "================================================================================="
echo
echo -e "This script will enable LDAP Anonymous Binds. Service restart required after.\n"
echo -e "=>Continue?[y/n]:\c"
read run_script
if [[ ${run_script} != "y" ]]; then
echo -e "\n>>Will not run the script. Exiting..."
exit 1
fi
## LDAP Modify ##
echo -e "\n>> Enabling LDAP Anonymous binds ..."
ldapmodify -D "cn=${ldapUser}" -w ${dmPass} -p 389 -h ${ldapHost} -x <<-END
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: on
END
----