When running ldapsearch -x -W without credentials on OpenLDAP, the directory may still return data due to default anonymous binding. This creates a security vulnerability, particularly when exposing LDAP to internet-facing services.
For Debian Lenny and newer systems using OpenLDAP's slapd, we need to modify the access control in slapd.conf or the newer cn=config system:
# Method 1: Traditional slapd.conf approach
access to *
by dn.exact="cn=admin,dc=example,dc=com" write
by * none
# Method 2: Using dynamic configuration (cn=config)
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.exact="cn=admin,dc=example,dc=com" write by * none
After making changes, restart slapd and test with:
ldapsearch -x -LLL -b "dc=example,dc=com" # Should return: ldap_bind: Invalid credentials (49)
Combine this with TLS configuration:
# In slapd.conf TLSCertificateFile /etc/ssl/certs/slapd.pem TLSCertificateKeyFile /etc/ssl/private/slapd.key TLSCACertificateFile /etc/ssl/certs/ca.pem # Require secure binds security tls=1 security simple_bind=128
If changes don't take effect:
- Verify the config file location (modern systems may use
/etc/ldap/slapd.d) - Check syntax with
slaptest -f /etc/ldap/slapd.conf - Confirm slapd is running with correct config using
ps aux | grep slapd
When running a default OpenLDAP installation, you might notice that simple queries like this still return data without authentication:
ldapsearch -x -b 'dc=example,dc=com' -H ldap://localhost
This occurs because OpenLDAP's default configuration allows anonymous binds through the olcDisallows: bind_anon directive being absent or improperly configured.
For modern OpenLDAP installations using cn=config, you'll need to modify the configuration through LDIF files. Here's the proper method:
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
Apply this change using:
ldapmodify -Y EXTERNAL -H ldapi:/// -f disable_anon.ldif
For older systems still using flat configuration files, add these directives to /etc/ldap/slapd.conf:
disallow bind_anon
require authc
Then restart slapd:
/etc/init.d/slapd restart
After making changes, verify that anonymous access is truly disabled:
ldapsearch -x -b 'dc=example,dc=com' -H ldap://localhost
You should now receive an error message similar to:
ldap_bind: Invalid credentials (49)
For more granular control, consider these ACL examples in your slapd configuration:
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by users read
by anonymous none
If changes don't take effect:
- Verify syntax with
slaptest -f /etc/ldap/slapd.conf - Check logs at
/var/log/syslogor/var/log/ldap.log - Ensure no duplicate configurations exist in both
slapd.confandcn=config