FreeIPA Config Anonymous Binds
General Information
Anonymous binds can be disabled/enabled via the following ldap modify scripts on this page.
More information from Red Hat: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/disabling-anon-binds
Checklist
- Distro(s): Enterprise Linux 6/7
- Other: FreeIPA Server Installed (script runs there)
The Script: Disable Anon Binds
Disabling anonymous binds is a good security practice. LDAP enabled applications will then require a user account to retrieve LDAP information.
- config-disable-anonbinds.sh
#!/bin/bash # Name: config-disable-anonbinds.sh # Description: Disable LDAP Anonymous (NULL Base) Binds # Last Updated: 2017-09-05 # Recent Changes:-Initial release ############################################################################################### ##### Customize These Variables ##### # LDAP Connection Settings dmPass=directorymanagerpasswordhere ldapHost=ldapserverhere.yourdomain.org ldapUser='directory manager' ##### End of Customize Variables ##### #================== # Main Starts Here #================== echo -e "=================================================================================" echo -e "####============ IPA: Disable LDAP Anonymous Binds (NULL BASE) =============####" echo -e "=================================================================================" echo echo -e "This script will disable LDAP Anonymous Binds. Service restart required after.\n" echo -e "=>Continue?[y/n]:\c" read run_script if [[ ${run_script} != "y" ]]; then echo -e "\n>>Will not run the script. Exiting..." exit 1 fi ## LDAP Modify ## echo -e "\n>> Disabling LDAP Anonymous binds ..." ldapmodify -D "cn=${ldapUser}" -w ${dmPass} -p 389 -h ${ldapHost} -x <<-END dn: cn=config changetype: modify replace: nsslapd-allow-anonymous-access nsslapd-allow-anonymous-access: rootdse END
The Script: Enable Anon Binds
If you need to go back to anonymous binds, this is how.
- config-enable-anonbinds.sh
#!/bin/bash # Name: config-enable-anonbinds.sh # Description: Enable LDAP Anonymous (NULL Base) Binds # Last Updated: 2017-09-05 # Recent Changes:-Initial release ############################################################################################### ##### Customize These Variables ##### # LDAP Connection Settings dmPass=directorymanagerpasswordhere ldapHost=ldapserverhere.yourdomain.org ldapUser='directory manager' ##### End of Customize Variables ##### #================== # Main Starts Here #================== echo -e "=================================================================================" echo -e "####============ IPA: Enable LDAP Anonymous Binds (NULL BASE) =============####" echo -e "=================================================================================" echo echo -e "This script will enable LDAP Anonymous Binds. Service restart required after.\n" echo -e "=>Continue?[y/n]:\c" read run_script if [[ ${run_script} != "y" ]]; then echo -e "\n>>Will not run the script. Exiting..." exit 1 fi ## LDAP Modify ## echo -e "\n>> Enabling LDAP Anonymous binds ..." ldapmodify -D "cn=${ldapUser}" -w ${dmPass} -p 389 -h ${ldapHost} -x <<-END dn: cn=config changetype: modify replace: nsslapd-allow-anonymous-access nsslapd-allow-anonymous-access: on END