AM uses heartbeats to monitor LDAP connections and the availability of the LDAP server; they are implemented as anonymous search requests targeted to the Root DSE entry. Heartbeats are the only way AM knows if an idle connection has been dropped by a firewall or load balancer.
AM uses anonymous search requests such as the following to achieve this:SEARCH REQ conn=6 op=2468 msgID=2469 base="" scope=baseObject filter="(objectClass=*)" attrs="1.1"
These searches do not pose a security risk as they just check the Root DSE, which does not expose any sensitive information. See Security Guide › Reconsider Default Global Access Control for further information on the Root DSE.
Completely disabling anonymous access in DS prevents this SEARCH request from succeeding if AM uses heartbeats (which it does by default) and causes connections from AM to fail. Anonymous access is disabled as follows depending on version:
6.5.x : use the set-global-configuration-prop with set unauthenticated-requests-policy:reject.
- Pre-DS 6.5.x: use the set-global-configuration-prop with set reject-unauthenticated-requests:true.
See the following articles for examples of the issues caused when connections fail:
- AM 5.x or 6.x fails to connect to the user data store when anonymous access is disabled in DS
- Upgrade to AM 5.x or 6.x fails when anonymous access is disabled in DS
See Administration Guide › ACI: Disable Anonymous Access for information on the preferred way to prevent anonymous access in DS.