One of the many questions in the OpenDJ User FAQ is how to turn off anonymous access. In other words prevent users from performing operations other than authentication unless they have authenticated.
There’s a dsconfig
global configuration property for that: reject-unauthenticated-requests
.
$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-global-configuration-prop -X -n --set reject-unauthenticated-requests:true
Once you set the property, anonymous users trying to search for example will get an “Unwilling to perform” response from OpenDJ.
$ ldapsearch -p 1389 -b dc=example,dc=com uid=bjensen SEARCH operation failed Result Code: 53 (Unwilling to Perform) Additional Information: Rejecting the requested operation because the connection has not been authenticated
Of course users who authenticate first are unaffected.
$ ldapsearch -p 1389 -b dc=example,dc=com -D uid=bjensen,ou=people,dc=example,dc=com -w hifalutin uid=bjensen dn: uid=bjensen,ou=People,dc=example,dc=com uid: bjensen ...
Do we achieve the same if we just remove the ACI rules for Anonymous accesses, or is this a more sophisticated solution?
Yes, you can achieve the end result with access control instructions. The advantage using ACIs is that ACIs in the data are replicated with the data, whereas configuration settings are per-server.
It seems the dsconfig setting has the server drop operations before ACIs are processed, so it may be cheaper in terms of server resources.
Peter,
You don’t want to remove the ACI rules for Anonymous access, you want to change it from granting access to anyone (ldap:///anyone) to granting access to all authenticated users (ldap:///all).
This said, there are some differences between fully rejecting unauthenticated requests and using ACI to control access. The former will block all access including the attempts to discover the server’s capabilities by reading the RootDSE. The later allows you to control which parts can be accessed anonymously, and which shouldn’t.
There’s been a lot of fuss around allowing anonymous access to a directory service. Some people are saying that features and naming context discovery is a threat to security, allowing malicious users to understand what the server contains and what security mechanisms are available and therefore not available. At the same time, it is important for generic purpose applications to understand how they can or must use the directory service before they actually authenticate to it.
Fortunately, OpenDJ has mechanisms that allow administrators to configure the directory services according to their security constraints, using either a simple flag to reject all unauthenticated requests, or by using ACIs.
Ludo hi may i get access to your email address please?
Hi,
You might want to contact Ludo through his blog, Ludo’s Sketches.
Regards,
Mark
These details (comments left by Mark and Ludo) warrant being in the admin guide, IMO (if they’re not already). This post and its comments were helpful and clear to me.
Pingback: OpenDJ Access Control Explained | Easy Identity