How do I prevent anonymous access in OpenDJ 3.x?
The purpose of this article is to show the most effective way of preventing anonymous access from LDAP clients in OpenDJ.
This article has been archived and is no longer maintained by ForgeRock.
A common security requirement is that all LDAP clients connecting to your server must authenticate, which allows for proper auditing. However the default configuration of OpenDJ allows unauthenticated or anonymous connections.
A very common strategy for LDAP clients is to connect to a server, retrieve information about the server’s capabilities from the root entry, and then authenticate to the server based on the server's capabilities. If a client is not allowed to retrieve this information it will usually just fail. Additionally, clients doing heartbeat-style checks on the server often do unauthenticated reads of the root entry, so completely disabling unauthenticated connections is not recommended.
You can prevent anonymous access as follows:
- For DS 5 and later, you should refer to the documentation for this process: Administration Guide › ACI: Disable Anonymous Access
- For OpenDJ 3.x, you should refer to the steps detailed below.
Preventing anonymous access (OpenDJ 3.x)
The recommended approach is to allow unauthenticated connections (that is, the default) and to use access controls to permit access to the root entry, and only the root entry. You can do this as follows:
Grant access to the root entry in the server’s global-aci using the dsconfig command, where the ACI value after --add is a single long line with no line breaks. For example:$ ./dsconfig set-access-control-handler-prop --add 'global-aci:(target="ldap:///")(targetscope="base")(targetattr="objectClass||namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedLDAPVersion||supportedSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)' --hostname server.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
The attributes listed in the targetattr are ones that are widely used when checking server capabilities. You might find you need to add additional attributes to this list; searching the OpenDJ access logs for searches to base="" will show the list of attributes that the LDAP clients are trying to return.
- Remove the default access granted to anonymous users using a similar dsconfig command. For example: $ ./dsconfig set-access-control-handler-prop --remove 'global-aci:(targetattr!="userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)' --hostname server.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
- If you have other custom ACIs that affect anonymous users, you will also need to review them and update as necessary.
- Repeat these steps for all appropriate OpenDJ instances.
You can also achieve this by globally disabling unauthenticated connections using set-global-configuration-prop. However, this approach is not recommended because it prevents access to the root entry, which can cause other processes to fail, including connectors from OpenAM when they are configured to use the heartbeat mechanism (default).
How do I know what the default Global ACIs are used for in OpenDJ 3.x?
How do I only allow selected users to search, update and delete LDAP entries in DS 6.x?
Administration Guide › Configuring Access Control
Administration Guide › ACI Targets
Installation Guide › Preventing Anonymous Access to an External Configuration Store
Related Issue Tracker IDs