How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How does AM 6.x use anonymous access calls to DS?

Last updated Jan 12, 2023

The purpose of this article is to provide information on how AM uses anonymous access calls to DS. This is distinct from the anonymous user in AM.

1 reader recommends this article

Understanding anonymous access calls

AM uses heartbeats to monitor LDAP connections and the availability of the LDAP server; they are implemented as anonymous search requests targeted to the Root DSE entry. Heartbeats are the only way AM knows if an idle connection has been dropped by a firewall or load balancer.

AM uses anonymous search requests such as the following to achieve this:

SEARCH REQ conn=6 op=2468 msgID=2469 base="" scope=baseObject filter="(objectClass=*)" attrs="1.1"

These searches do not pose a security risk as they just check the Root DSE, which does not expose any sensitive information. See Reconsider Default Global Access Control for further information on the Root DSE.

Completely disabling anonymous access in DS prevents this SEARCH request from succeeding if AM uses heartbeats (which it does by default) and causes connections from AM to fail. Anonymous access is disabled as follows depending on version:

  • DS 6.5.x: use the set-global-configuration-prop with set unauthenticated-requests-policy:reject.
  • DS 6: use the set-global-configuration-prop with set reject-unauthenticated-requests:true.

See the following articles for examples of the issues caused when connections fail:

See ACI: Disable Anonymous Access for information on the preferred way to prevent anonymous access in DS. Anonymous access is prevented by default in DS 7 and later.

See Also

Configuring Authentication Modules

Setting Up Identity Data Stores

Implementing the Core Token Service

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.