7:09 p.m.
Hi everyone
I am trying on a development host to Disabling Anonymous Binds.
I have ran the following command but it hangs and does not return a prompt.
$ ldapmodify -x -D "cn=Directory Manager" -W -h 127.0.0.1 -p 389 -ZZ
Enter LDAP Password:
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
Following instructions from:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
ipa --version: VERSION: 4.10.1, API_VERSION: 2.251
Red Hat Enterprise Linux" VERSION="9.2
Please, any advice?
Many thanks
Marcelo
3:14 a.m.
New subject: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Hi,
On Wed, Sep 27, 2023 at 2:10 AM Marcelo Carvalho via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi everyone
I am trying on a development host to Disabling Anonymous Binds.
I have ran the following command but it hangs and does not return a prompt.
$ ldapmodify -x -D "cn=Directory Manager" -W -h 127.0.0.1 -p 389 -ZZ
Enter LDAP Password:
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
ldapmodify waits for an empty line before it actually sends the operation
to the LDAP server. You need to type a carriage return at the end of the
line containing "rootdse", then another carriage return, and you should see
the command result. Then you can type CTRL-D to exit the ldapmodify command.
HTH,
flo
Following instructions from:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
ipa --version: VERSION: 4.10.1, API_VERSION: 2.251
Red Hat Enterprise Linux" VERSION="9.2
Please, any advice?
Many thanks
Marcelo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
10:02 a.m.
New subject: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Hi Florence
Thank you so much.
Questions:
1) How do we "type a carriage return at the end?"
2) Will just a "\n" suffice, or do we need a "control character?"
3) If "control character" is needed how do e embed it on our copy-n-paste?
Hitting return for that new line does not work.
Please advise.
Many thanks.
Marcelo
10:21 a.m.
New subject: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Marcelo Carvalho via FreeIPA-users wrote:
Hi Florence
Thank you so much.
Questions:
1) How do we "type a carriage return at the end?"
2) Will just a "\n" suffice, or do we need a "control character?"
3) If "control character" is needed how do e embed it on our copy-n-paste?
Hitting return for that new line does not work.
You just need an empty line to tell ldapmodify that the current mod
request is complete. You can alternatively put this into a file and pass
it in that way. EOF is treated as the end as well.
rob
10:58 a.m.
New subject: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
And if you want to have Ansible do it (setting either ‘off’ or ‘rootdse’ as the value)
I’ve used this
- name: Disable FreeIPA anonymous LDAP access
community.general.ldap_attrs:
dn: cn=config
attributes:
nsslapd-allow-anonymous-access: 'off'
server_uri: ldaps://localhost
validate_certs: false
bind_dn: cn=Directory Manager
bind_pw: '{{ freeipa_directory_manager_password }}'
On Sep 27, 2023, at 11:21 AM, Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Marcelo Carvalho via FreeIPA-users wrote:
> Hi Florence
>
> Thank you so much.
>
> Questions:
>
> 1) How do we "type a carriage return at the end?"
> 2) Will just a "\n" suffice, or do we need a "control
character?"
> 3) If "control character" is needed how do e embed it on our copy-n-paste?
Hitting return for that new line does not work.
>
You just need an empty line to tell ldapmodify that the current mod
request is complete. You can alternatively put this into a file and pass
it in that way. EOF is treated as the end as well.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
2:20 p.m.
New subject: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Thank you so much Andrew.
Question: Does "freeipa_directory_manager_password" go in the clear?
_M
3 p.m.
New subject: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
The password can be stored in Ansible Vault, prompted for, or whatever preferred Ansible
secret management strategy you employ.
I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then done via
the loopback. It’s also using “ldaps” not “ldap,” so even a privileged used sniffing on
the loopback wouldn’t see it (although a privileged user would have a hundred other ways
to potentially gain access).
On Sep 27, 2023, at 3:20 PM, Marcelo Carvalho via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Thank you so much Andrew.
Question: Does "freeipa_directory_manager_password" go in the clear?
_M
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
3:50 p.m.
New subject: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Thanks Andrew.
I will dig into me Ansible options.
Many thanks
_M
11:32 p.m.
New subject: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
On 27/09/2023 22.00, Andrew Imeson via FreeIPA-users wrote:
The password can be stored in Ansible Vault, prompted for, or
whatever preferred Ansible secret management strategy you employ.
I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then done via
the loopback. It’s also using “ldaps” not “ldap,” so even a privileged used sniffing on
the loopback wouldn’t see it (although a privileged user would have a hundred other ways
to potentially gain access).
It may be easier to use ipa-ldap-updater as root. The command uses LDAP
over Unix sockets for secure communication and authentication. You don't
have to pass any additional options like shost, port, or password. The
update syntax is based on LDIF, but shorter and IMO easier to read.
Create a file "rootdse.update" with content:
dn: cn=config
only: nsslapd-allow-anonymous-access: rootdse
then run "ipa-ldap-updater rootdse.update" on every IPA server. Changes
to cn=config are not replicated.
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
1:40 a.m.
New subject: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
On Чцв, 28 вер 2023, Christian Heimes via FreeIPA-users wrote:
On 27/09/2023 22.00, Andrew Imeson via FreeIPA-users wrote:
>The password can be stored in Ansible Vault, prompted for, or whatever preferred
Ansible secret management strategy you employ.
>
>I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then done
via the loopback. It’s also using “ldaps” not “ldap,” so even a privileged used sniffing
on the loopback wouldn’t see it (although a privileged user would have a hundred other
ways to potentially gain access).
It may be easier to use ipa-ldap-updater as root. The command uses
LDAP over Unix sockets for secure communication and authentication.
You don't have to pass any additional options like shost, port, or
password. The update syntax is based on LDIF, but shorter and IMO
easier to read.
Create a file "rootdse.update" with content:
dn: cn=config
only: nsslapd-allow-anonymous-access: rootdse
then run "ipa-ldap-updater rootdse.update" on every IPA server.
Changes to cn=config are not replicated.
You don't even need that. Just use 'dsconf' utility provided by 389-ds,
as root.
[root@id ~]# dsconf IPA-TEST config get nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: on
[root@id ~]# dsconf IPA-TEST config replace nsslapd-allow-anonymous-access=off
Successfully replaced "nsslapd-allow-anonymous-access"
[root@id ~]# dsconf IPA-TEST config get nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: off
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
2:21 p.m.
New subject: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt
Thank you Rob.
It worked perfectly. All done.
Many thanks
Marcelo
263
days inactive
264
days old
freeipa-users@lists.fedorahosted.org
10 comments
6 participants
participants (6)
-
Alexander Bokovoy -
Andrew Imeson -
Christian Heimes -
Florence Blanc-Renaud -
Marcelo Carvalho -
Rob Crittenden