How does AM 5.x and 6.x use anonymous access calls to DS?
The purpose of this article is to provide information on how AM uses anonymous access calls to DS. This is distinct from the anonymous user in AM.
1 reader recommends this article
Understanding anonymous access calls
AM uses heartbeats to monitor LDAP connections and the availability of the LDAP server; they are implemented as anonymous search requests targeted to the Root DSE entry. Heartbeats are the only way AM knows if an idle connection has been dropped by a firewall or load balancer.
AM uses anonymous search requests such as the following to achieve this:
SEARCH REQ conn=6 op=2468 msgID=2469 base="" scope=baseObject filter="(objectClass=*)" attrs="1.1"Note
These searches do not pose a security risk as they just check the Root DSE, which does not expose any sensitive information. See Security Guide › Reconsider Default Global Access Control for further information on the Root DSE.
Completely disabling anonymous access in DS prevents this SEARCH request from succeeding if AM uses heartbeats (which it does by default) and causes connections from AM to fail. Anonymous access is disabled as follows depending on version:
-
DS
6.5.x : use the set-global-configuration-prop with set unauthenticated-requests-policy:reject. - Pre-DS 6.5.x: use the set-global-configuration-prop with set reject-unauthenticated-requests:true.
See the following articles for examples of the issues caused when connections fail:
- AM 5.x or 6.x fails to connect to the user data store when anonymous access is disabled in DS
- Upgrade to AM 5.x or 6.x fails when anonymous access is disabled in DS
See Administration Guide › ACI: Disable Anonymous Access for information on the preferred way to prevent anonymous access in DS.
See Also
Authentication and Single Sign-On Guide › Configuring Authentication Modules
Setup and Maintenance Guide › Setting Up Identity Data Stores
Related Training
N/A
Related Issue Tracker IDs
N/A