OpenDJ: Turn off anonymous access

OpenDJ Community Logo One of the many questions in the OpenDJ User FAQ is how to turn off anonymous access. In other words prevent users from performing operations other than authentication unless they have authenticated.

There’s a dsconfig global configuration property for that: reject-unauthenticated-requests.

$ dsconfig -p 4444 -h `hostname`
 -D "cn=Directory Manager" -w password
set-global-configuration-prop -X -n
--set reject-unauthenticated-requests:true

Once you set the property, anonymous users trying to search for example will get an “Unwilling to perform” response from OpenDJ.

$ ldapsearch -p 1389 -b dc=example,dc=com uid=bjensen
SEARCH operation failed
Result Code:  53 (Unwilling to Perform)
Additional Information:  Rejecting the requested operation
  because the connection has not been authenticated

Of course users who authenticate first are unaffected.

$ ldapsearch -p 1389 -b dc=example,dc=com
 -D uid=bjensen,ou=people,dc=example,dc=com -w hifalutin
dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen