You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by James Dekker <ja...@gmail.com> on 2015/10/30 00:57:41 UTC

Disabling anonymous bind on ApacheDS LDAP causes getent group not to work

Am new to ApacheDS - am using apacheds-2.0.0-M17.

Followed the instructions to setup an Ubuntu 14.04 LTS machine as a LDAP
client from this page:

https://help.ubuntu.com/community/LDAPClientAuthentication

Was able to view groups by issuing the following command:

    getent group

I then proceeded by disabling anonymous bind by going into the Ubuntu
machine which is running apacheds using ldapmodify:


    ldapmodify -H ldap://my_target_server:10389 -D "uid=admin,ou=system" -x
-W

    dn: ads-directoryServiceId=default,ou=config
    changetype: modify
    replace: ads-dsallowanonymousaccess
    ads-dsallowanonymousaccess: FALSE

After restarting apacheds, I verified that I was not able to login
anonymously by using this particular ldapsearch query:

    ldapsearch -H ldap://my_target_server:10389 -x -b "dc=iam,dc=aws,dc=org"

Which resulted in the following output in stdout:

     ldap_bind: Invalid credentials (49)
          additional info: INVALID_CREDENTIALS: Bind failed: ERR_268 Cannot
find a partition for

Now, when I issue the command for

    getent group

Nothing from my target LDAP server returns!

Question(s):

1. Is my ldapmodify process the correct way to turn off / disable anonymous
binding?

2. How can I view my groups using getent group (from the client machine)
with anonymous binding turned off? Is there a way to specify the password
for the LDAP target server when issuing getent group?

My /etc/nsswitch.conf looks like this:

    passwd:         compat
    group:          compat
    shadow:         compat

    hosts:          files dns
    networks:       files

    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files

    netgroup:       nis

When I enabled the anonymous access by setting the

    ads-dsallowanonymousaccess: TRUE

I was able view my LDAP groups by issuing:

    getent group

Need to able to turn off anonymous binding (and still view groups using
getent) without using the Apache Directory Studio application.

Thank you for taking the time to read this.