Wednesday, June 3, 2009

Sun Directory Server: Disallow anonymous access

This week, I am in Bangkok providing consultancy to a local Thai Bank. 

I have deployed Sun Directory Servers with Multi-Master Replication ("MMR") for them some time back. This trip is to fine-tune the deployment. They ask to disallow anonymous access to their Enterprise Directory Service.

By default, Sun Directory Server allow anonymous read-search access out-of-the-box. 

(target ="ldap:///o=isp")(targetattr !="userPassword")(version 3.0;acl "Anonymous read-search access";allow (read, search, compare)(userdn = "ldap:///anyone");)


Note: It does not allow reading of the userPassword attribute though.

Here we go:

bash-3.00# ldapmodify -D "cn=Directory Manager" -w password
dn: o=isp
changetype: modify
delete: aci
aci: (target ="ldap:///o=isp")(targetattr !="userPassword")
 (version 3.0;acl "Anonymous read-search access";
 allow (read, search, compare)
 (userdn = "ldap:///anyone");)

Note: There should be a space prefix to the last 3 lines. 




Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)