Friday, June 25, 2010

Disallow anonymous access to Sun Directory Server

I received an email from my customer a week ago.

Even when a new instance is created, the default ACI allows anonymous to access this? Any ideas?

My reply below:

Yes, Sun Directory Server is built as-such. It behaves like a "Yellow Pages" sort-of. E.g. In a corporate directory server, anyone can search for anyone by default, with the exception of password.

This site from IBM explains better than me.

Searching a directory is similar to looking up a name in the white or yellow pages of a telephone directory. If the name of a particular individual object is not known, the directory can be searched for a list of objects that meet a certain requirement.

So we know that, by default, the Directory Server is accessible anonymously.

How can we disable this function?

Very easy. I did the following for another customer of mine in Thailand.

  • Remove the following segment in 99user.ldif in the config/schema directory
dn: o=XXX aci: (target ="ldap:///o=XXX")(targetattr !="userPassword")
(version 3.0;acl "Anonymous read-search access"; allow (read, search, compare) (userdn = "ldap:///anyone");)

Easy. But do remember to stop/start the Directory Server.


No comments:

Post a Comment