You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by James Dekker <ja...@gmail.com> on 2015/10/30 00:57:41 UTC
Disabling anonymous bind on ApacheDS LDAP causes getent group not to work
Am new to ApacheDS - am using apacheds-2.0.0-M17.
Followed the instructions to setup an Ubuntu 14.04 LTS machine as a LDAP
client from this page:
https://help.ubuntu.com/community/LDAPClientAuthentication
Was able to view groups by issuing the following command:
getent group
I then proceeded by disabling anonymous bind by going into the Ubuntu
machine which is running apacheds using ldapmodify:
ldapmodify -H ldap://my_target_server:10389 -D "uid=admin,ou=system" -x
-W
dn: ads-directoryServiceId=default,ou=config
changetype: modify
replace: ads-dsallowanonymousaccess
ads-dsallowanonymousaccess: FALSE
After restarting apacheds, I verified that I was not able to login
anonymously by using this particular ldapsearch query:
ldapsearch -H ldap://my_target_server:10389 -x -b "dc=iam,dc=aws,dc=org"
Which resulted in the following output in stdout:
ldap_bind: Invalid credentials (49)
additional info: INVALID_CREDENTIALS: Bind failed: ERR_268 Cannot
find a partition for
Now, when I issue the command for
getent group
Nothing from my target LDAP server returns!
Question(s):
1. Is my ldapmodify process the correct way to turn off / disable anonymous
binding?
2. How can I view my groups using getent group (from the client machine)
with anonymous binding turned off? Is there a way to specify the password
for the LDAP target server when issuing getent group?
My /etc/nsswitch.conf looks like this:
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
When I enabled the anonymous access by setting the
ads-dsallowanonymousaccess: TRUE
I was able view my LDAP groups by issuing:
getent group
Need to able to turn off anonymous binding (and still view groups using
getent) without using the Apache Directory Studio application.
Thank you for taking the time to read this.