Directory Server prevents authentication with a null password. All non-anonymous binds must therefore specify a password to bind to the directory. Otherwise, Directory Server returns an authentication error, LDAP_INAPPROPRIATE_AUTH.
You can disable this feature by setting the server property require-bind-pwd-enabled to off using the dsconf set-server-prop command.
The following command-line sequence walks you through a demonstration of this feature.
The default value of the Require Bind on Authentication feature is on. Check this by using the following command:
# dsconf get-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled require-bind-pwd-enabled : on |
Authenticating with a null password results in the following error message:
# ldapsearch -D cn=altrootdn -w '' -p 20390 -b cn=config 'objectclass=*' dn ldap_simple_bind: Inappropriate authentication ldap_simple_bind: additional info: binds with a dn require a password |
Note that this feature does not block anonymous binds:
# ldapsearch -p 20390 -b cn=config 'objectclass=*' dn version: 1 dn: cn=SNMP,cn=config |
Disable this feature by setting it to off:
# dsconf set-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled:off # dsconf get-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled require-bind-pwd-enabled : off |
This time authenticating with a null password succeeds:
# ldapsearch -D cn=altrootdn -w '' -p 20390 -b cn=config 'objectclass=*' dn version: 1 dn: cn=SNMP,cn=config |
For instructions on using the Directory Service Control Center to configure password policy, see the DSCC online help.