Configuring ldap

Anonymous bind

Anonymous bind is disabled on FreeIPA by default, however anonymous access is not.

Check anonymous access

Check the status of anonymous access on the ldap environment:

ldapsearch -x -u -h ldap1.internal.virtnet -b cn=config "(cn=config)" nsslapd-allow-anonymous-access  -W -D "cn=Directory Manager"

note

The LDAP password is the Directory Manager password.

expected output

...

# config
dn: cn=config
ufn: config
nsslapd-allow-anonymous-access: on

# config, Account Policy Plugin, plugins, config

...

If nsslapd-allow-anonymous-access is set to on, then anonymous bind needs to be secured.

Disable anonymous bind

On either ldap server change the anonymous access value to rootdse:

ldapmodify -x -D "cn=Directory Manager" -W -h ldap1.internal.virtnet -p 389 -ZZ

The terminal will then be blank and waiting input. Enter the following, then ctrl+c to escape:

input

dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse

output

modifying entry "cn=config"

Once the output confirms the change, ctrl+c to exit the ldapmodify shell. Then restart the directory service on both servers:

systemctl restart dirsrv.target

Secure Connections

Require secure binds

Run the following command to modify the secure-binds attribute:

ldapmodify -D "cn=Directory Manager" -W -x

input

dn: cn=config
changetype: modify
replace: nsslapd-require-secure-binds
nsslapd-require-secure-binds: on

output

modifying entry "cn=config"

Then restart the service on both servers:

systemctl restart dirsrv.target

Sources

• Check if anonymous bind is enabled ^Archive
• Disable anonymous bind
• Require secure binds