# OpenLDAP: Non-anonymous access for PAM/NSS?



## AlexSanchezSTHLM (Feb 10, 2014)

For security reasons, I would like to turn off anonymous reads on my OpenLDAP server, but I don't know how configure a client host to not connect anonymously when using PAM, NSS, Sudo, etc. I created a dedicated user with password on the LDAP-server.

Where (what file) do I need to set the user and password?
I tried setting binddn and bindpw in both /usr/local/etc/ldap.conf and /usr/local/etc/openldap/ldap.conf, but It doesn't work, it's still connecting anonymously...


----------



## w5plt (Feb 11, 2014)

On your OpenLDAP Server, you could use the following directive in the slapd.conf file:


```
disallow bind_anon
```

Access Control Policies can further restrict access and viewing of sensitive data.  Also, proper use of client and server certificates can force/demand TLS connections between the clients and server as another measure of security.

In addition to the FreeBSD Handbook Chapter on LDAP, I suggest the following link to gain further understanding of LDAP:

http://www.zytrax.com/books/ldap/

I hope this helps or at least points you in the right direction.

Regards,

Scott


----------



## AlexSanchezSTHLM (Feb 11, 2014)

Thanks Scott,

But if I disable anonymous bind with that directive, how do I tell PAM/NSS to use a specific user and password for lookups?

PS. thanks for that useful link


----------



## AlexSanchezSTHLM (Feb 11, 2014)

AlexSanchezSTHLM said:
			
		

> I tried setting binddn and bindpw in both /usr/local/etc/ldap.conf and /usr/local/etc/openldap/ldap.conf, but It doesn't work, it's still connecting anonymously...



Today, I gave it another try, and it worked to my surprise  :q

This is exactly what i did (on the client) - in file /usr/local/etc/ldap.conf I added the following lines:


```
binddn cn=pam-nss,ou=Services,dc=example,dc=org
bindpw thePasswordInClearText
```

Cheers!


----------

