matt4 Trusted Contributor.
Trusted Contributor.
425 views

LDAP Bind Restrictions

Can someone explain the various LDAP Bind restrictions in eDirectory? The docs do a horrible job of this and there are naming inconsistencies between the documentation and the actual iManager plugins.

You can Disallow Anonymous Simple Bind, Local Bind, and/or Unauthenticated Bind.

The eDir docs refer to something called Non-Anonymous Simple Bind, which is not listed in iManager at all. Is this the same as what the plugins call Local Bind?

Now I think I know what Anonymous Simple Bind is, that is a Bind with a zero length DN and a zero length password (at least I think that is what it is).

I'm not sure what a Non-Anonymous Simple Bind and/or Local Bind are. Is that a bind with a DN value but a zero length password? Or what?

And I assume an Unauthenticated Bind is one with no user ID or password? But then how is that different from an Anonymous Simple Bind?

I'm very confused by this terminology. Plus you can Disallow any combination of the 3 in the LDAP Server settings.

Can someone make sense of all this for me? Thanks!

Matt

P.S. For reference, here is the latest bind restrictions list in the plugins:

None
Disallow anonymous simple bind
Disallow local bind
Disallow anonymous simple bind and local bind
Disallow unauthenticated bind
Disallow anonymous and unauthenticated bind
Disallow local and unauthenticated bind
Disallow anonymous, local and unauthenticated bind
Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: LDAP Bind Restrictions

I think part of the confusion is that Micro Focus added options to handle
poorly-coded clients, e.g. the ones that do not know that sending a
username with no password is effectively an anonymous bind, and that if
LDAP servers accept it that does not mean you really are the user. The
RFCs are clear, and few people read them, or properly test negative cases.
See this thread from a while ago:
https://forums.novell.com/showthread.php/491974-LDAP-Disable-Unauthenticated-Auth-but-keep-Anonymous-Auth

I am going to guess, without testing, that "unauthenticated bind" is to
handle that new case, where a user sends in a username sans password, and
now eDirectory will helpfully reject them rather than accepting them (per
the RFC) as an anonymous bind (assuming anonymous is allowed).

I'll also guess, based only on the name, that 'local bind' means binding
from the server itself. With that written, I'm interested in testing
results, so I'll see what I can conjure up later.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
matt4 Trusted Contributor.
Trusted Contributor.

Re: LDAP Bind Restrictions

ab;2496873 wrote:
I think part of the confusion is that Micro Focus added options to handle
poorly-coded clients, e.g. the ones that do not know that sending a
username with no password is effectively an anonymous bind, and that if
LDAP servers accept it that does not mean you really are the user. The
RFCs are clear, and few people read them, or properly test negative cases.
See this thread from a while ago:
https://forums.novell.com/showthread.php/491974-LDAP-Disable-Unauthenticated-Auth-but-keep-Anonymous-Auth

I am going to guess, without testing, that "unauthenticated bind" is to
handle that new case, where a user sends in a username sans password, and
now eDirectory will helpfully reject them rather than accepting them (per
the RFC) as an anonymous bind (assuming anonymous is allowed).


Then what is a Non-Anonymous Simple Bind? From just searching around what you described seems to be a Non-Anonymous Simple Bind, which is listed in the eDir Documentation. But then I don't understand what makes this different from an Unauthenticated Bind.



I'll also guess, based only on the name, that 'local bind' means binding
from the server itself. With that written, I'm interested in testing
results, so I'll see what I can conjure up later.


That's what I thought too, but now I'm starting to wonder if that is truly the case, especially since it doesn't match up with the documentation.



--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.



It seems to me that ideally what you want is to disable all of this, the most restrictive option. I'm just trying to understand exactly what each option is disabling.

I'll be curious to know what your testing reveals!

Matt
0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP Bind Restrictions

matt wrote:

> Then what is a Non-Anonymous Simple Bind?


Simple Bind means "username/password" as opposed to something else like
Kerberos or SASL. Non-Anonymous Simple Bind therefore is just a long word for a
regular bind by providing a username and password (both with non-zero length).
See https://ldapwiki.com/wiki/LDAP%20Authentication%20Methods and
https://ldapwiki.com/wiki/Simple%20Authentication for more details.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
matt4 Trusted Contributor.
Trusted Contributor.

Re: LDAP Bind Restrictions

lhaeger;2496895 wrote:
matt wrote:

> Then what is a Non-Anonymous Simple Bind?


Simple Bind means "username/password" as opposed to something else like
Kerberos or SASL. Non-Anonymous Simple Bind therefore is just a long word for a
regular bind by providing a username and password (both with non-zero length).
See https://ldapwiki.com/wiki/LDAP%20Authentication%20Methods and
https://ldapwiki.com/wiki/Simple%20Authentication for more details.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)




So is there any difference between disallowing a Non-Anonymous Simple Bind vs. an Unauthenticated Bind? Would disallowing an Unauthenticated Bind also disallow a Non-Anonymous Simple Bind (to me it would)? If so, why are they different options (at least as listed in the documentation for eDir)?

And I still don't know what a local bind is. Is that really just a bind being performed on the local server or is it something else?

Matt
0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP Bind Restrictions

matt wrote:

> So is there any difference between disallowing a Non-Anonymous Simple
> Bind vs. an Unauthenticated Bind? Would disallowing an Unauthenticated
> Bind also disallow a Non-Anonymous Simple Bind (to me it would)? If so,
> why are they different options (at least as listed in the documentation
> for eDir)?


If you are referring to
https://www.netiq.com/documentation/edir88/edir88/data/agq8auc.html my guess is
that the option now called "unauthenticated bind" was called "non-anonymous
simple bind" earlier, and because that was a bad way to call it, they changed
the wording in later versions. Maybe, "non-anonymous but unauthenticated
simple bind" would have been even better, but had too many words...

Still wondering what "local bind" may be, all I found is this thread from 2009,
which only adds to the confusion:
http://codeverge.com/novell.edirectory.linux/exact-definition-of-term-local-bind-l/1879902

Maybe open a SR for clarification?

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.