disable anonymous LDAP access

[sasha]

How to DISABLE anonymous bind/access to LDAP ? I've tried a few things in slapd.conf but it doesn't work .

[jholder]

You can use ipchains to restrict/firewall on the zimbra box.
It's open for browsing email address book.

[sasha]

Thanks . Unfortunately this is not an option because we want external AUTHORIZED NON-ANONYMOUS bind to still be available .

[sasha]

That is , we can't use the firewall ... is there not a way to change the config in slapd.conf or ldap.conf ? It appears no-one has figured this out yet which is kind of odd .

[kibo]

Well, I also had this issue for a long time. I resorted to use a firewall to block outside access and pass internal IPs. I first wanted to assign another internal IP to the server so that local users can access and and block outsiders based on that. But OpenLDAP only listens on one IP and I couldn't figure out how to make it listen on other IPs as well. So I ended up doing a special routing for local IPs on the router plus the firewall to prevent connections from Internet. Kind of messy, but works.

[sasha]

Kibo , I am sorry but I just said that firewall is not an option for me . I need external access ( but authenticated access ) . If anyone has figured out how to modify the config files for ldap , please let me know .

[phoenix]

As far as I know it's anonymous bind only at the moment. I'd suggest you search bugzilla for any relevant feature requests, if there isn't one then file an entry and vote on it.

[sasha]

OK , but does anyone have an explanation why and how this is the case ? I mean OpenLDAP should be separate from zimbra itself and the config file should be modifiable ( although I have had no luck ) .

[phoenix]

No, it's not seperate from Zimbra - it's part of the package that is Zimbra. It's there and anonymous so we can get at the details that Zimbra stores in it.

Did you vote for the bug in bugzilla? You can also add your comments to it as well.

[sasha]

OK , so you locked in anonymous LDAP somehow ... some trick . I will get to bugzilla eventually this week but I think it is pretty obvious that anonymous LDAP should be allowed to be disabled .

In your zimbra code , you are asking for data anonymously instead of binding with username and password ... that's just lazy code and has nothing to do with necessity .

And I have searched this forum and everybody's questions on this issue HAVE NOT BEEN ANSWERED OR EXPLAINED . And this has been going for who knows how many years . Finally we get to hear from someone that it is simply NOT POSSIBLE . The reason is still not divulged however except that it doesn't take a genius that it is LAZY CODE .