Hey,

I want to disable anonymous users being able to read/search our LDAP server. We are using OpenDJ, which is based on OpenDS. I don't really think the server has anything to do it it.

So far, I can type "ldapsearch -x -Z" and pull the entire LDAP database(minus the passwords of course)

When I change the anonymous access from "anyone" to "all" it then requires an LDAP user/password to pull the LDAP info.

ldapsearch -x -Z shows nothing, and I can no longer login as an LDAP user. That's cool!

I created a user in the base of my LDAP called "Binder" to be used to show/search/read LDAP info.

This is the command I use to view the LDAP users.

ldapsearch -x -Z -D cn=Binder,dc=example,dc=com -w pa$$w0rd

Just like before, everything in the LDAP server appears, wonderful! So it is accepting this new user and letting me read the directory.

Now. I am using Centos 6 as a client.

I add the following lines to /etc/pam_ldap.conf AND /etc/nslcd.conf
binddn "cn=Binder,dc=example,dc=com"
bindpw pa$$w0rd

But ldapsearch -x -Z still shows nothing. It is not taking those credentials and still sees me as anonymous. I still cannot "su" to an ldap user.

Is there a step I am missing? cn=binder is obvuiously working as I can manually enter the credentials and view the directory..But the lines I have added are not taking.

I may be just a bit confused with the bindpw part

Do I type the plaintext password after bindpw? or do I store it in a file called /etc/bindpw (chmod 600) and change those lines to bindpw /etc/bindpw ?

Frig, I am so close I just need a kick in the right direction for this one

I hope someone can lend me some of that expert knowledge!

Thanks dudes.

the bindpw IS the password yes, but you seem to have jumped a few steps here. you need "getent passwd" to return the user data first, don't worry about logins until you can see the accounts. Additionally you don't seem to have gotten it working without the bind account anyway, so there's no reason to think that it's actually realted to the bind creds.

Actually, nope,

I did not skip any steps, I have never in my life once used getent (Maybe I should start?)

Heres how it's done.


Created a user in the base of the ldap called Binder, no posix classes, simple user.

vi /etc/nslcd.conf
binddn cn=Binder,dc=example,dc=com
bindpw pa55word

vi /etc/pam_ldap.conf
binddn cn=Binder,dc=example,dc=com
bindpw pa55word

service nslcd restart
ldapsearch -x -Z
No info shown, GOOD!

ldapsearch -x -Z -D cn=Binder,dc=example,dc=com

Info shown, GOOD!

su - Divebomb

GOOD!

For my tests I was doing "ldapsearch -x -Z" thinking that it would automatically enter the user/password from the config files. I never actually attempted to su - Divebomb. I assumed that ldapsearch returned nothing, su wouldn't work.

I appreciate the reply!!!

Have a great day everyone.

well by missed a step i meant in terms of the appropriate checks that you're going OK. you changed multiple things at once, and were left not knowing what was wrong.

But anyway, ldapsearch does NOT use /etc/ldap.conf, it uses the totally different file /etc/openldap/ldap.conf