Tuesday, October 19, 2021

[389-users] Re: anonymous binds

depending on the filters used, an error 11 / err=11 / ADMIN_LIMIT_EXCEEDED / "Administrative limit exceeded" could be returned, and depending on the LDAP client, it could be an important error.
it may be a good idea to set a DN for nsslapd-anonlimitsdn , see
with its associated/dedicated values different from the global settings, for the attributes nsIdleTimeout ,  nsTimeLimit and nsSizeLimit
or set a special user entry for those BINDs , with the same 3 user specified idletimeout, time and size limits to avoid tuning up the general setting of the size limit.

On Tue, Oct 19, 2021 at 10:44 AM Michael Starling <mlstarling31@hotmail.com> wrote:
Good afternoon.

I have a few questions about anon binds.

In theory if you have 3000 user objects in the directory and anonymous binds have a limit returning 2000 entries can you still use anonymous binds in LDAP client configurations without issues? Or does something else take place when a user logs in that only requires the LDAP clients (sssd or nscld) to parse that specific user dn and attributes?

Typically, with OpenLDAP I have created a "bind" user that can read all user/group objects with limited attributes and turned off anon binds so I don't fully understand the behavior of anonymous binds.

389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment