Le 13/06/2014 17:34, Tou-Soua Heu a écrit :
> I will raise a request.
>
> The business case is for secure environments, like at a Financial institution
> (eg. Bank Of America) or Government agency (e.g. Department of Defense), all
> LDAP connections must be authenticated (meaning no anonymous connection
> allowed). Currently we have no method to prove that ApacheDS meets this
> requirement: the fact we unchecked the "Allow Anonymous Access" in the
> configuration setting isn't sufficient to prove compliancy. We need to
> demonstrate this is actually happening and one way is via either a server
> status about the identity of current connections or logging of identity
> connections.
The log should tell you when someone attempt to authenticate using
anonymous bind. Anonymous athent are handled by the
AnonymousAuthenticator class, which produces a message when such an
attempt is not allowed :
LOG.info( "Cannot authenticate as anonymous, the server does
not allow it" );
Adding some info log on :
log4j.logger.org.apache.directory.server.core.authn=INFO
should be enough to get such traces.
FTR, I just added some more log for "positive" anonymous bind (ie, when
it's enabled, and some anonymous bind is done, you'll have the same log).
Does it fits your need ? Can you tell me if you get the logs I described
on yoru server after having changed the log config ?
Thanks !
