Even when a new instance is created, the default ACI allows anonymous to access this? Any ideas?
My reply below:
Yes, Sun Directory Server is built as-such. It behaves like a "Yellow Pages" sort-of. E.g. In a corporate directory server, anyone can search for anyone by default, with the exception of password.
This site from IBM explains better than me.
Searching a directory is similar to looking up a name in the white or yellow pages of a telephone directory. If the name of a particular individual object is not known, the directory can be searched for a list of objects that meet a certain requirement.
So we know that, by default, the Directory Server is accessible anonymously.
How can we disable this function?
Very easy. I did the following for another customer of mine in Thailand.
- Remove the following segment in 99user.ldif in the config/schema directory
dn: o=XXX aci: (target ="ldap:///o=XXX")(targetattr !="userPassword")
(version 3.0;acl "Anonymous read-search access"; allow (read, search, compare) (userdn = "ldap:///anyone");)
(version 3.0;acl "Anonymous read-search access"; allow (read, search, compare) (userdn = "ldap:///anyone");)
Easy. But do remember to stop/start the Directory Server.
.
No comments:
Post a Comment