Hello, I have an OpenLDAP server with anonymous access disabled. When I
check the SSSD logs, I see that it makes an anonymous query for certain
attributes, resulting in the following error:
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_connect_done] (0x0080): START
TLS result: Success(0), (null)
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_op_destructor] (0x2000):
Operation 1 finished
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_rootdse_send] (0x4000):
Getting rootdse
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [(objectclass=*)][].
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [*]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [altServer]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [namingContexts]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedControl]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedExtension]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedFeatures]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedLDAPVersion]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedSASLMechanisms]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [domainControllerFunctionality]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [defaultNamingContext]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [lastUSN]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [highestCommittedUSN]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 2
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_op_add] (0x2000): New
operation 2 timeout 6
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000):
Trace: sh[0x5562b7500710], connected[1], ops[0x5562b7494520],
ldap[0x5562b74feb80]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000):
Trace: end of ldap_result list
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000):
Trace: sh[0x5562b7500710], connected[1], ops[0x5562b7494520],
ldap[0x5562b74feb80]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000):
Trace: end of ldap_result list
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000):
Trace: sh[0x5562b7500710], connected[1], ops[0x5562b7494520],
ldap[0x5562b74feb80]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000):
Trace: end of ldap_result list
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_result] (0x2000):
Trace: sh[0x5562b7500710], connected[1], ops[0x5562b7494520],
ldap[0x5562b74feb80]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_process_message] (0x4000):
Message type: [LDAP_RES_SEARCH_RESULT]
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_op_finished]
(0x0400): Search result: Server is unwilling to perform(53), authentication
required
* (2025-02-01 5:45:50): [be[LDAP]] [sdap_get_generic_op_finished]
(0x0040): Unexpected result from ldap: Server is unwilling to perform(53),
authentication required
If I enable anonymous access, this error does not appear. In my sssd.conf
configuration, I am using binddn and password.
Is there any way to disable these queries, or is it mandatory for the
OpenLDAP server to allow anonymous access?
Best regards.