Page 2 of 2 FirstFirst 12
Results 11 to 11 of 11

Thread: disable anonymous LDAP access

  1. #11
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Quote Originally Posted by sasha View Post
    I will get to bugzilla eventually this week
    Then I suppose we will get around to changing this. . .eventually.

    I think it is pretty obvious that anonymous LDAP should be allowed to be disabled.
    Why? Am I missing something? See below.


    In your zimbra code , you are asking for data anonymously instead of binding with username and password ... that's just lazy code and has nothing to do with necessity.
    Ever heard of windows 2000? It does the same thing. It got changed in 2003.

    And I have searched this forum and everybody's questions on this issue HAVE NOT BEEN ANSWERED OR EXPLAINED . And this has been going for who knows how many years . Finally we get to hear from someone that it is simply NOT POSSIBLE . The reason is still not divulged however except that it doesn't take a genius that it is LAZY CODE .
    I told you why in my first comment.
    If you truly feel like our code is LAZY, then we respectfully ask you to quit using it.
    • Fedora Directory server allows anon bind. Perhaps their code is lazy too.See:this post
    "Bind DN: specify a bind DN or leave it blank for anonymous bind"
    • So does Solaris. From THEIR docs:
    "Clients authenticate to an LDAP server by attempting a bind operation. A connection between the client and the server is established if the bind is successful. As part of the bind request, the client chooses which authentication method it wants to use and supplies the credentials required by that method. If a method is not specified, credentials are not sent and the client is bound as an anonymous user."
    See: http://www.sun.com/blueprints/1200/ldap-security.pdf
    • So does Mac OS X Server:
    "This choice runs a small subsystem that allows you to add or delete LDAP servers from the list, but not change the settings on an existing one. To add our server, press "+" and answer the questions as they come up.
    Code:
    hostname: ldap.example.com
    base: cn=users,dc=example,dc=com"
    name: Staff
    The default is fine for all other settings. Since we are only searching, we can leave binddn blank, for anonymous bind."

    See: http://www.oreillynet.com/pub/a/mac/...6/18/ldap.html
    Hmm. O'Reilly, a well established Expert didn't seem to have a problem with it.

    So, don't come into OUR forums and tell us that OUR CODE is LAZY when Apple, Sun, and RedHat all allow the same thing!! That's just tacky, and quite honestly makes me very mad.

    If you want the ability to change it, I suggest you file an enhancement.

    Otherwise, this thread is locked, and you can pvt me directly with any concerns or questions.

    john
    Last edited by jholder; 02-19-2007 at 04:10 PM.

Similar Threads

  1. Anonymous access to LDAP server? security flaw?
    By gsilver in forum Administrators
    Replies: 7
    Last Post: 12-20-2007, 06:52 AM
  2. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 11:12 AM
  3. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 07:45 AM
  4. Replies: 4
    Last Post: 11-15-2006, 12:16 PM
  5. Enable clear text login - Server error encountered
    By czaveri in forum Installation
    Replies: 14
    Last Post: 03-06-2006, 05:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •