Troubleshooting
Problem
Most often a securtiy scan identifies the vulnerability that the IBMi hosted LDAP server allows anonymous bind, To secure LDAP records, the ability toanonymously query the server must be disabled.
Symptom
Security exposure allowing anonymous access to LDAP records
Cause
LDAP server allows anonymous access to data
Resolving The Problem
Beginning with the V6R1 release, IBM Tivoli Directory Server for i5/OS (LDAP) supports multiple instances. The default instance of LDAP is QUSRDIR. If additional instances have been created, each instance must of individually modified the disable anonymous bind.
Disabling anonymous bind requires an update to the configuration file for each instance. The example below shows how to perform this change on the QUSRDIR (default name) instance. In the event multiple instances or a single instance of a different name, the file path shown will have to be modified to access the desired LDAP instance. The configuration file can be accessed from a 5250 command line using the following command:
wrklnk '/qibm/userdata/os400/DirSrv/idsslapd-QUSRDIR/etc/ibmslapd.conf'
Specify option 2 (edit) beside the ibmslapd.conf file in enter the file in Edit mode
Page down to find the attribute: ibm-slapdAllowAnon: TRUE
Change TRUE to FALSE (the attribute will now look like this: ibm-slapdAllowAnon: FALSE )
F2 to save the change, F3 to exit the file
End and restart the LDAP instance to pick up the change,
Anonymous bind and queries will no longer be allowed.
The following PTF's disable LDAP anonymous bind.
Release 7.1 – SI60167
Release 7.2 – SI60166
Release 7.3 – SI59795
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1019824