Novell is now a part of Micro Focus

Does anyone know how to stop an anonymous bind from accessing NDS?

Articles and Tips: qna

15 May 2000


Q.

Dear Ab-end: Does anyone know how to stop an anonymous bind from accessing NDS? From what I understand, the proxy user rights should apply. But the only way I can get "no information" is to remove Public's rights. Is this correct?

--Anxious in Ann Arbor

A.

Dear Anxious: This is a problem in the current version of NDS, but it should be fixed in a future release of NDS eDirectory. In the mean time, you have to constrain Public access very tightly with Public Access Rights. Here is a note from the LDAP engineering team at Novell to further illuminate this problem.

"Changes were incorporated in the coming release of Directory Services that will tighten up the application of Access Rights. Public Compare rights on attributes must be granted in order for these objects to be seen by a user with an anonymous LDAP connection. For example, if the Netscape address book is used to access the directory, only user objects that have Public Compare rights granted to them on all attributes in the LDAP search filter will be returned.

"By default, the upcoming release of NDS 8 ships without Public Compare rights granted. Thus, if the administrator doesn't explicitly grant Public Compare rights to the attributes of user objects, the LDAP applications will not be able to see any users. Previous versions of NDS 8 did not use these tight controls. Thus, anonymous LDAP queries returned all matching users by default.

"The following steps will allow you to grant only Public Compare rights in ConsoleOne.

  1. Invoke ConsoleOne and select the tree you are interested in.

  2. Right-click on the tree and select Properties. The "Properties of <Treename>" window will appear.

  3. Select Public from the list in the "Trustees of this Object" page under the "NDS Rights" tab.

  4. Click the Assigned Rights button to bring up the "Rights Assigned to Public" window.

  5. Click the Add Property button.

  6. Select [All Attribute Rights] from the list.

  7. Click OK to return to the "Rights Assigned To Public" window.

  8. Make sure that only the Compare right is checked in the right-hand box when [All Attribute Rights] is selected from the list on the left side of the window. By default, both the Read and Compare rights are checked. If you leave Read rights checked, anyone who comes in on an anonymous LDAP connection can read any piece of data in your directory. Take this out. Once you are satisfied with your rights selection, click OK to return to the "Properties of <Treename>" window.

  9. Click Apply or OK to apply the newly selected rights.

"A network administrator may want to further control the attributes that can be checked using a public connection. If you desire further control, follow the above procedure to explicitly grant Compare rights to the attributes to which you would like the Public object to have, instead of selecting All Attribute Rights. Be sure to grant Compare rights to all of the attributes that are used in LDAP search filters from your application. For example, the Netscape address book will require Compare rights on CN (Common Name) and mail attributes. Outlook Express may require rights on other attributes."

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates