Product SiteDocumentation Site

16.2. Disabling Anonymous Binds

Accessing domain resources and running client tools always require Kerberos authentication. However, the backend LDAP directory used by the FreeIPA server allows anonymous binds by default. This potentially opens up all of the domain configuration to unauthorized users, including information about users, machines, groups, services, netgroups, and DNS configuration.
It is possible to disable anonymous binds on the 389 Directory Server instance by using LDAP tools to reset the nsslapd-allow-anonymous-access attribute.
  1. Change the nsslapd-allow-anonymous-access attribute to off.
    ldapmodify -x -D "cn=Directory Manager" -w secret -h server.example.com -p 389
    
    Enter LDAP Password:
    dn: cn=config
    changetype: modify
    replace: nsslapd-allow-anonymous-access
    nsslapd-allow-anonymous-access: off
    
  2. Restart the 389 Directory Server instance to load the new setting.
    service dirsrv restart