How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How does AM 5.x and 6.x use anonymous access calls to DS?

Last updated Apr 13, 2021

The purpose of this article is to provide information on how AM uses anonymous access calls to DS. This is distinct from the anonymous user in AM.

1 reader recommends this article

Understanding anonymous access calls

AM uses heartbeats to monitor LDAP connections and the availability of the LDAP server; they are implemented as anonymous search requests targeted to the Root DSE entry. Heartbeats are the only way AM knows if an idle connection has been dropped by a firewall or load balancer.

AM uses anonymous search requests such as the following to achieve this:

SEARCH REQ conn=6 op=2468 msgID=2469 base="" scope=baseObject filter="(objectClass=*)" attrs="1.1"

These searches do not pose a security risk as they just check the Root DSE, which does not expose any sensitive information. See Security Guide › Reconsider Default Global Access Control for further information on the Root DSE.

Completely disabling anonymous access in DS prevents this SEARCH request from succeeding if AM uses heartbeats (which it does by default) and causes connections from AM to fail. Anonymous access is disabled as follows depending on version:

  • DS 6.5.x : use the set-global-configuration-prop with set unauthenticated-requests-policy:reject. 
  • Pre-DS 6.5.x: use the set-global-configuration-prop with set reject-unauthenticated-requests:true.

See the following articles for examples of the issues caused when connections fail:

See Administration Guide › ACI: Disable Anonymous Access for information on the preferred way to prevent anonymous access in DS. Anonymous access is prevented by default in DS 7 and later.

See Also

Authentication and Single Sign-On Guide › Configuring Authentication Modules

Setup and Maintenance Guide › Setting Up Identity Data Stores

Installation Guide › Implementing the Core Token Service

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.