How can we constrain or prevent CA LDAP Server Anonymous Directory Access(null base requests)?

Document ID : KB000071661
Last Modified Date : 22/02/2018
Show Technical Document Details
Question:
Hello CA ACF2 LDAP support! We received a preliminary audit report that indicates LDAP Anonymous Directory Access Permitted (ldap-anonymous-directory-access) on our CA ACF2 LDAP Server. Limited testing indicated that anonymous logging is allowed and the user can list the Shema information as well as Fetch DNs while other LDAP servers like MS AD did not allow any anonymous connection. We didn't find any settings on the documentation on how to prevent anonymous connections. Can you please help us clarify if there is such option and how to implement it?
Answer:
To constrain or prevent CA LDAP Server Anonymous Directory Access(null base requests) the following can be done. If it is the DN on a bind operation, then the server can be set up via the slapd.conf to not allow anonymous binds.

To disable the acceptance of anonymous binds in the LDAP server you can add following line to the slapd.conf file before the 'database config' line:

disallow bind_anon

Details can be found in the CA LDAP Server documentation in Section: 'Customize the Slapd Configuration File' Sub-section: 'Global Options'. .