Disable Anonymous Binds in IPA v3 (and enable them again)

Posted on Wed 13 January 2016 in Computing

I was not entirely happy with the documentation for this here:
While correct, It gives me no idea how to check the current configuration or how to turn anonymous binds back on again, or how to test my changes

Here is my approach:

Check the current config with this ldap query (there may be room for optimising this) 

ldapsearch -x -u -h ipa.server -b cn=config "(cn=config)" \
  nsslapd-allow-anonymous-access  -W -D "cn=Directory Manager" 

That should yield: 

...
nsslapd-allow-anonymous-access: on

or 

...
nsslapd-allow-anonymous-access: rootdse

I then created two simple ldifs to enable and disable anonymous binds

disable-anonymous-binds.ldif 

# disable-anonymous-binds.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse

enable-anonymous-binds.ldif 

# enable-anonymous-binds.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: on 

Either of which can be run with 

ldapmodify -x -D "cn=Directory Manager" -W -h ipa.server \
  enable|disable-anonymous-binds.ldif

freeipa