Most options in cn=config can be changed while the server is still
online. Since you also need to reset the DM password it makes sense to
shut it off first.
A brute force way and simple way is to shut down all instances on your
machine: systemctl stop dirsrv.target
Start it back up in a similar way.
I'd recommend you make a backup of dse.ldif just in case prior to making
any changes.
rob
Christian Palacios wrote:
> Thank you Rob. I checked the dse.ldif file and it was set to on. In
> order to shutdown the server to make the changes, what command should I
> use? Lots of help, thanks!
>
> On Thu, Jul 28, 2022 at 8:53 AM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Jeremiah Garmatter wrote:
> > Christian,
> >
> > I had to do this recently so it's still pretty fresh. You need to
> track
> > down the dse.ldif file on the server hosting 389. dse.ldif is like the
> > main config for your 389 instance. My file is in
> > /etc/dirsrv/slapd-<hostname>/dse.ldif.
> > Once you find that file, look for the cn=config section and set
> > "nsslapd-allow-anonymous-access" to "off". You may want to do the same
> > with "nsslapd-allow-unauthenticated-binds" which allows binds to occur
> > with an empty password.
> >
> > You can set the Directory Manager account password from that file as
> > well with the "nsslapd-rootpw" setting. The value of that setting must
> > be the hash of the desired password. You must use the same hashing
> > algorithm as described in the passwordStorageScheme.
> > Then restart the 389 service and you'll have a new directory manager
> > password and disabled anonymous binds.
>
> Not commenting specifically on the settings but any direct changes to
> dse.ldif need to be done while the server is shut down otherwise they
> will be overwritten when the server stops. So stop the server, make
> changes, restart.
>
> rob
>
> >
> > -Jeremiah Garmatter, Systems Administrator
> > -Ohio Northern University, Class of 2020
> > -Work: 419-772-1074
> > -j-garmatter@onu.edu <mailto:j-garmatter@onu.edu>
> <mailto:j-garmatter@onu.edu <mailto:j-garmatter@onu.edu>>
> >
> >
> > On Thu, Jul 28, 2022 at 10:29 AM Christian Palacios
> > <christiandpalacios@gmail.com
> <mailto:christiandpalacios@gmail.com>
> <mailto:christiandpalacios@gmail.com
> <mailto:christiandpalacios@gmail.com>>> wrote:
> >
> > Hi there,
> >
> > We have an instance of 389 and I have been asked to disable
> > anonymous bind on it because our current security policies don't
> > allow it. Can you please suggest ways to fix this?
> Unfortunately,
> > I don't have the admin account, so I'm hoping to also get help
> with
> > that.
> >
> > Thank you,
> > -Christian
> > _______________________________________________
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> > <mailto:389-users@lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>>
> > To unsubscribe send an email to
> > 389-users-leave@lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> > <mailto:389-users-leave@lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>>
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > Do not reply to spam on the list, report it:
> > https://pagure.io/fedora-infrastructure
> >
> >
> > _______________________________________________
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> > To unsubscribe send an email to
> 389-users-leave@lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
> >
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> To unsubscribe send an email to
> 389-users-leave@lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
No comments:
Post a Comment