How to disable anonymous binds in LDAP

  • 3932155
  • 10-Jan-2007
  • 06-Jun-2012

Environment

Novell eDirectory 8.7 for All Platforms
EDIR8703.EXE
EDIR8704.EXE

Situation

Applied the above eDirectory updates, NLDAP version 10410.87, or higher.
LDAP server is not accepting bind requests from clients.
LDAP appears to load fine.
How to disable anonymous binds in LDAP
How to restrict anonymous binds in LDAP.

Resolution

Make sure the EDIR870x.EXE or EDIR870x.TGZ files are installed on your platform, then use the proper platform specific schema extention utility to extend schema with the LDAP.SCH file and associate the attribute to the LDAP server object. Below are the NetWare, NT and UNIX procedures.
NETWARE:

This should first be run on a RW or Master of Root!


a. From the NetWare Console type "LOAD NWCONFIG" - Select Directory Options - Extend Schema
b. Authenticate as admin or a user with admin rights to root. Change the path by pressing F3 - Specify the location of the LDAP.SCH file in the 8703 patch (\NW\SYS\SYSTEM\SCHEMA
c. Force the schema synch process by running the following commands on the console:

SET DSTRACE=ON
SET DSTRACE=+SCHEMA
SET DSTRACE=*SSD
SET DSTRACE=*SSA
Wait for an "All Processed = Yes" on the Directory Services Screen then continue to the ConsoleOne Section of this TID.
NT:

This should first be run on a RW or Master of Root
a. Choose Start - Control Panel - Novell eDirectory Services - Highlight the INSTALL.DLM module - Click Start
b. Choose "Install additional schema files." - Click Next - Authenticate as Admin or a user with admin rights to root
c. Browse to the LDAP.SCH file contained in EDIR870x.EXE (IE., C:\8703\NT\NDS\LDAP.SCH ) - Click Finish
d. Force a Schema Synch Process from either Novell eDirectory Services - DSTRACE or from iManager DSTRACE.
e. Wait for an "All Processed = Yes" on the Directory Services Screen then continue to the ConsoleOne Section of this TID.
UNIX:

This should be run on a RW or Master of Root then
a. Type the following command:
ndssch /usr/lib/nds-schema/ldap.sch
b. Authenticate as admin or a user with admin rights to root, and type the admin password when prompted.
c. Force the schema synch process by running the following commands on the console:

ndstrace
set dstrace=nodebug
dstrace +scma +scmd
set dstrace=*ssd
set dstrace=*ssa
Wait for an "All Processed = Yes" on the Directory Services Screen then continue with the ConsoleOne section
CONSOLEONE:

Now a new attribute, ldapBindRestrictions, has been added to schema and associated with the LDAP server class. Now we can associate it to our LDAP server and then populate it with a value.
1. Load ConsoleOne
2. Browse to your LDAP server object
3. Right click - Properties - Other Tab
4. Click on the Attribute Add button - Scroll to the ldapBindRestrictions attribute - OK
5. To disable anonymous binds put a value of 1 in the attribute value field. To allow such connections put in a value of 0.
6. Select Apply - OK

Note: In 8.7.1, a property tab is available for this setting to be toggled on or off. Also the schema will automatically extend for this funtion.

Additional Information

This new build of NLDAP (available with the eDirectory 8.7.0.3 and 8.7.0.4 Update) allows for the disabling of anonymous binds. If the schema update file included in the patch, LDAP.SCH, is not run then when the new NLDAP module loads clients will not be able to bind. To accomplish this a new LDAP server attribute, ldapBindRestrictions, needs to be added to eDirectory's schema and associated to the LDAP server object. If NLDAP loads and does not see this attribute either due to not running the new LDAP.SCH included in these patches or schema not having synchcronized to the server then NLDAP will refuse all bind requests.

Formerly known as TID# 10077872
Formerly known as TID# NOVL84851