Update: I followed this tutorial and it seems to be working now https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/disabling-anon-binds
[root@-freeipa /]# ldapmodify -x -D "cn=Directory Manager" -W -H ldap:// 10.0.0.9:389 Enter LDAP Password: dn: cn=config changetype: modify replace: nsslapd-allow-anonymous-access nsslapd-allow-anonymous-access: rootdse modifying entry "cn=config" [root@-freeipa /]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting ipa-otpd Service ipa: INFO: The ipactl command was successful [root@-freeipa /]# ldapsearch -x -b "dc=example,dc=com" -H ldap:// 10.0.0.9:389 "(objectClass=*)" # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectClass=*) # requesting: ALL # # search result search: 2 result: 48 Inappropriate authentication text: Anonymous access is not allowed. On Wed, Sep 27, 2023 at 1:30 PM Duarte Petiz <[email protected]> wrote: > Hey everyone! > I have been using freeipa since 2 months ago. > Now i asked for an internal pentest and the pentesters found this: > Without authentication they can obtain information about our freeipa (that > uses ldap as backend as you know). > > ldapsearch -x -b "dc=example,dc=com" -H ldap://10.0.0.9:389 > "(objectClass=*)" > > There is any way to protect it? How can I achieve that? > > > > > -- > *Kind Regards* > > *Duarte Petiz* > *DevOps Team Lead *| jscrambler.com > > > > -- *Kind Regards* *Duarte Petiz* *DevOps Team Lead *| jscrambler.com
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
