What effect has disabling 'LDAP Anonymous binds' on the various OES services.

  • 7014753
  • 18-Mar-2014
  • 07-Apr-2014

Environment

NetIQ eDirectory
Novell iPrint for Linux
Novell Open Enterprise Server 11 (OES 11) Linux

Situation

What effect has disabling 'LDAP Anonymous binds' on the various OES services ?


OES Installation.

During OES installation, we perform an 'LDAP anonymous bind' in two places, in all other places we use a password.
 
1. To check whether the server is a dsfw server or not
2. in ncs to select the remote cluster server in the gui.
(This is during server installation where certificates are not created so we use anonymous bind).

NetIQ eDirectory.

Although the examples in the following TID describe older versions of eDirectory, TID 3932155 that details how to disable anonymous bind from a LDAP server is still valid for NetIQ eDirectory on OES 11 servers today.

What needs to be kept in mind when following this approach is with regards to anything that performs 'rootDSE' searches  There are are various services (also external to eDirectory / OES) that perform rootDSE searches and may be binding anonymously (E.g. Citrix 7.1). Once anonymous bind is disabled for LDAP, these services will stop functioning as well.
Apart from this for standalone eDirectory components we are not aware of any components using LDAP anonymous binds at any stage.

OES Migration tools.

The OES migration tools use Anonymous binds for LDAP search in only a few scripts to date. 
Examples here are mainly the scripts that are called during Transfer ID migrations, and have been documented in TID 7002862.

LUM.

If 'LDAP Anonymous binds' are going to be disabled, a proxy user must be enabled in the LUM YaST configuration.
The common-proxy user could also be used here. (There is a check box in the LUM YaST screen to select this option.).

File access protocols.

Disabling 'LDAP Anonymous binds' should have no impact on the file access protocols: NCP, CIFS, AFP ( nor with FTP) based on our experience with the Common Proxy Management framework.

DNS and DHCP.

DNS and DHCP are not affected when disabling LDAP anonymous binds as they both use authenticated connections only.

iPrint.

From an iPrint perspective, apart from the issues mentioned in TID 7001424,  we also do not anticipate to see any further problems.
On a related note, when using the iPrint appliance, the client-less ICM feature _does_ depend on LDAP anonymous bind.

Novell Client.

Not specifically an 'OES service', but please be aware that the Novell Client for Windows relies on LDAP anonymous binds if (and when) utilizing the "LDAP Contextless Login" feature of the Novell Client.

Resolution

An enhancement request has been filed to investigate the effort and dependencies required to modify the various OES tools and components to work in environments where 'LDAP anonymous binds' are to be disabled.

Additional Information

Outstanding questions.

With respect to this TID, there are a number of other factors that could still need to be investigated and followed-up upon :
- GroupWise Web Access
- eGuide
- HP iLO