[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LDAP search without credetials


on my Debian8 slapd installation I can query the ldap-server without typing in any password. That isn't ok!?

At the dn: olcDatabase={1}mdb.ldif I found the following entry:

olcAccess: {2}to * by * read

I guess that gives read access to everyone without authentification.

It was pure coincidence that I tested a login without credentials! Cause a login with credentilas works as well.

Please change olcAccess: {2}to * by * read -> olcAccess: {2}to * by users read

After that, the login was denied:

ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed

Here is a ldif for every one who likes to change it.

cat rights.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}to * by * read
add: olcAccess
olcAccess: {2}to * by users read

ldapmodify -Y EXTERNAL -H ldapi:/// -f rights.ldif


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to: