We recently went through a security audit and one of the findings was the fact that our connection servers support anonymous LDAP binding. A couple of questions:
Thanks
1. None. Anonymous binds on rootDSE are required as part of the LDAP v3 specification to determine the list of supported LDAP SASL bind methods. An Anonymous LDAP bind to Connection Server doesn't allow any Connection Server configuration to be accessed. You can try this with LDP.exe.
2. No. LDAP v3 binds would not work if we did this.
3. No.
Mark
Hi Mark,
We have the same situation in our organization. Is it possible for you to help us with some VMware docs that explains this.
I would really appreciate it.
Sure. View Connection Server LDAP has 3 base DNs. One for LDAP configuration, one for the schema and one for the Horizon View specific configuration. These are:
Horizon View Connection Servers require LDAP SASL binds to all three. Anonymous logins are not permitted. This means that data from all three cannot be written or read by an anonymous user.
In addition, LDAP v3 servers support a base level called "root DSE" where base information such as the list of SASL bind methods (supportedSASLMechanisms) is obtained as part of the authentication (bind) process.
You can try this with LDP.EXE on any Horizon View Connection Server. From the menu, select Connection > Connect and specify localhost and port 389. Don't select Connection > Bind (i.e. be anonymous) and then attempt access to any of the 3 LDAP base DNs. You can do this by selecting View > Tree then hitting the down-arrow button and selecting each base DN in turn. You should get an error on each which be something like:
Server error: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection.
You will be denied any sort of access. You can then try a non anonymous bind by selecting Connection > Bind, repeating the test and you will then be able to access those three trees.
None of this is Horizon View specific, but is part of the standard LDAPv3 spec. So the docs you want are actually the standard LDAP specification RFCs covering the LDAPv3 protocol and the SASL bind mechanism. See RFC 4511 - Lightweight Directory Access Protocol (LDAP): The Protocol
The relevant section is:
Clients may determine the SASL mechanisms a server supports by
reading the 'supportedSASLMechanisms' attribute from the root DSE
(DSA-Specific Entry) ([RFC4512], Section 5.1). The values of this
attribute, if any, list the mechanisms the server supports in the
current LDAP session state. LDAP servers SHOULD allow all clients --
even those with an anonymous authorization -- to retrieve the
'supportedSASLMechanisms' attribute of the root DSE both before and
after the SASL authentication exchange.