How to Disable Global Anonymous Bind in OpenLDAP cn=config Configuration


2 views

In legacy OpenLDAP configurations using slapd.conf, administrators could globally disable anonymous binding with these simple directives:

disallow bind_anon
require authc

With the dynamic cn=config backend, we need to modify the olcGlobal configuration entry. Here's the step-by-step process:

# First, create a LDIF file (disable_anon.ldif) with these contents:
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

add: olcRequires
olcRequires: authc

Apply the changes using ldapmodify:

ldapmodify -Y EXTERNAL -H ldapi:/// -f disable_anon.ldif

After applying the changes, verify the new settings:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDisallows=*)' olcDisallows olcRequires

If you need more granular control, you can apply these restrictions at the database level:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

If you encounter problems after applying these changes:

  • Check OpenLDAP logs for bind-related errors
  • Verify SASL configuration if using external authentication
  • Ensure your ACLs still permit necessary operations

While disabling anonymous binds improves security, remember to:

  • Configure proper TLS encryption
  • Implement strong password policies
  • Set appropriate access controls
  • Monitor failed bind attempts

For those migrating from traditional slapd.conf configuration to OpenLDAP's dynamic cn=config system, security settings like anonymous bind restrictions require different handling. While slapd.conf used simple directives:

disallow bind_anon
require authc

The cn=config system requires modifying the olcGlobal configuration entry through LDIF operations.

Anonymous binds can expose sensitive directory information and should be restricted in production environments. The cn=config approach provides more granular control with better runtime modification capabilities.

To globally disable anonymous binds in cn=config:

dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
-
add: olcRequires
olcRequires: authc

Apply this change using ldapmodify:

ldapmodify -Y EXTERNAL -H ldapi:/// -f disable_anonymous.ldif

After applying the change, test with:

ldapsearch -x -b "" -s base

You should receive an "Insufficient access" error instead of the root DSE information.

For more granular control, you can apply restrictions at the database level:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

If changes don't take effect:

  • Check slapd debug logs with slapd -d -1
  • Verify syntax with slaptest -v
  • Ensure you're modifying the correct configuration branch