openLDAP deny anonymous user & create readonly user

openldap server allow anonymous login, so we need deny anonymous user & create readonly user.

1、deny anonymous user
echo "ldapmodify -Y EXTERNAL -H ldapi:/// -W -f no_anonymous.ldif" > deny_anonymous.sh

cat << EOF > no_anonymous.ldif
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF

2 create readonly user
slappasswd -s password9
{SSHA}5aj9VcmTaEH7yjdyavR9IdELPBhxUj0X
cat << EOF > olcRootDN.sh
ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)"
EOF

cat < readonly.ldif
dn: cn=readonly,dc=my,dc=net
cn: readonly
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP read only user
userPassword: {SSHA}5aj9VcmTaEH7yjdyavR9IdELPBhxUj0X
EOF
ldapadd -x -D cn=Manager,dc=my,dc=net -W -f ./readonly.ldif

cat < readonly-user-access.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=Manager,dc=my,dc=net" write
by anonymous auth
by self write
by dn="cn=readonly,dc=my,dc=net" read
by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=my,dc=net" write by * read
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f readonly-user-access.ldif

3、delete readonly user
ldapdelete -D cn=Manager,dc=my,dc=net -W "cn=readonly,dc=my,dc=net"

相关日志