OpenDJ: Turn off anonymous access

OpenDJ Community Logo One of the many questions in the OpenDJ User FAQ is how to turn off anonymous access. In other words prevent users from performing operations other than authentication unless they have authenticated.

There’s a dsconfig global configuration property for that: reject-unauthenticated-requests.

$ dsconfig -p 4444 -h `hostname`
 -D "cn=Directory Manager" -w password
set-global-configuration-prop -X -n
--set reject-unauthenticated-requests:true

Once you set the property, anonymous users trying to search for example will get an “Unwilling to perform” response from OpenDJ.

$ ldapsearch -p 1389 -b dc=example,dc=com uid=bjensen
SEARCH operation failed
Result Code:  53 (Unwilling to Perform)
Additional Information:  Rejecting the requested operation
  because the connection has not been authenticated

Of course users who authenticate first are unaffected.

$ ldapsearch -p 1389 -b dc=example,dc=com
 -D uid=bjensen,ou=people,dc=example,dc=com -w hifalutin
 uid=bjensen
dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen
...
Advertisements

7 thoughts on “OpenDJ: Turn off anonymous access

  1. Yes, you can achieve the end result with access control instructions. The advantage using ACIs is that ACIs in the data are replicated with the data, whereas configuration settings are per-server.

    It seems the dsconfig setting has the server drop operations before ACIs are processed, so it may be cheaper in terms of server resources.

  2. Peter,

    You don’t want to remove the ACI rules for Anonymous access, you want to change it from granting access to anyone (ldap:///anyone) to granting access to all authenticated users (ldap:///all).

    This said, there are some differences between fully rejecting unauthenticated requests and using ACI to control access. The former will block all access including the attempts to discover the server’s capabilities by reading the RootDSE. The later allows you to control which parts can be accessed anonymously, and which shouldn’t.

    There’s been a lot of fuss around allowing anonymous access to a directory service. Some people are saying that features and naming context discovery is a threat to security, allowing malicious users to understand what the server contains and what security mechanisms are available and therefore not available. At the same time, it is important for generic purpose applications to understand how they can or must use the directory service before they actually authenticate to it.

    Fortunately, OpenDJ has mechanisms that allow administrators to configure the directory services according to their security constraints, using either a simple flag to reject all unauthenticated requests, or by using ACIs.

  3. These details (comments left by Mark and Ludo) warrant being in the admin guide, IMO (if they’re not already). This post and its comments were helpful and clear to me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s