How To
Archived

How do I prevent anonymous access in OpenDJ 3.x?

Last updated Jan 5, 2021

The purpose of this article is to show the most effective way of preventing anonymous access from LDAP clients in OpenDJ.


Archived

This article has been archived and is no longer maintained by ForgeRock.

Overview

A common security requirement is that all LDAP clients connecting to your server must authenticate, which allows for proper auditing. However the default configuration of OpenDJ allows unauthenticated or anonymous connections.

A very common strategy for LDAP clients is to connect to a server, retrieve information about the server’s capabilities from the root entry, and then authenticate to the server based on the server's capabilities. If a client is not allowed to retrieve this information it will usually just fail. Additionally, clients doing heartbeat-style checks on the server often do unauthenticated reads of the root entry, so completely disabling unauthenticated connections is not recommended.

You can prevent anonymous access as follows:

Preventing anonymous access (OpenDJ 3.x)

The recommended approach is to allow unauthenticated connections (that is, the default) and to use access controls to permit access to the root entry, and only the root entry. You can do this as follows:

  1. Grant access to the root entry in the server’s global-aci using the dsconfig command, where the ACI value after --add is a single long line with no line breaks. For example:

    $ ./dsconfig set-access-control-handler-prop --add 'global-aci:(target="ldap:///")(targetscope="base")(targetattr="objectClass||namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedLDAPVersion||supportedSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)' --hostname server.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt

    The attributes listed in the targetattr are ones that are widely used when checking server capabilities. You might find you need to add additional attributes to this list; searching the OpenDJ access logs for searches to base="" will show the list of attributes that the LDAP clients are trying to return.

  2. Remove the default access granted to anonymous users using a similar dsconfig command. For example: $ ./dsconfig set-access-control-handler-prop --remove 'global-aci:(targetattr!="userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)' --hostname server.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
  3. If you have other custom ACIs that affect anonymous users, you will also need to review them and update as necessary.
  4. Repeat these steps for all appropriate OpenDJ instances.
Note

You can also achieve this by globally disabling unauthenticated connections using set-global-configuration-prop. However, this approach is not recommended because it prevents access to the root entry, which can cause other processes to fail, including connectors from OpenAM when they are configured to use the heartbeat mechanism (default).

See Also

How do I know what the default Global ACIs are used for in OpenDJ 3.x?

How do I only allow selected users to search, update and delete LDAP entries in DS 5.x and 6.x?

Administration Guide › Configuring Access Control

Administration Guide › ACI Targets

Installation Guide › Preventing Anonymous Access to an External Configuration Store

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.