directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: Auditing if anonymous LDAP connections are being made
Date Fri, 13 Jun 2014 16:09:20 GMT
Le 13/06/2014 17:34, Tou-Soua Heu a écrit :
> I will raise a request.
> The business case is for secure environments, like at a Financial institution (eg. Bank
Of America) or Government agency (e.g. Department of Defense), all LDAP connections must be
authenticated (meaning no anonymous connection allowed). Currently we have no method to prove
that ApacheDS meets this requirement: the fact we unchecked the "Allow Anonymous Access" in
the configuration setting isn't sufficient to prove compliancy. We need to demonstrate this
is actually happening and one way is via either a server status about the identity of current
connections or logging of identity connections.

The log should tell you when someone attempt to authenticate using
anonymous bind. Anonymous athent are handled by the
AnonymousAuthenticator class, which produces a message when such an
attempt is not allowed :

   "Cannot authenticate as anonymous, the server does
not allow it" );

Adding some info log on :

should be enough to get such traces.

FTR, I just added some more log for "positive" anonymous bind (ie, when
it's enabled, and some anonymous bind is done, you'll have the same log).

Does it fits your need ? Can you tell me if you get the logs I described
on yoru server after having changed the log config ?

Thanks !

View raw message