Re: ldap (oid) name resolution security !

In the note you've mentioned, they say : "if you are only using OID for LDAP naming, then disabling the null bind should be OK. "

However, in the test i ran 10 minutes ago, if I disable anonymous bind, my ldap name resolution no longer works.

There is another note in metalink that contradicts the first one and, alas, corroborates my experience.
In the note 305371.1 :
"For any database/OID versions, if using OID for tnsnames / servicename resolution, anonymous binds cannot be disallowed. The ldap.ora file is used to retrieve TNS connection details from OID, and to do this it must connect with an anonymous bind. Any client application that uses the ldap.ora information to bind to OID anonymously to retrieve a connect string will fail unless also configured to use a different connect string retrieval method (i.e., via tnsnames.ora file)."

Have you been able to make ldap naming work without anonymous bind ?

Thanks

PS : initially, we wanted to dump ldap to tnsnames to feed a ldap proxy (for our old oracle 7 servers!). Finally we will keep our old ONAMES server (v2 i.e oracle 7) for a while and we will create entries in both ldap and onames server.
We have 2 java programs : one that generates ldif files from onames (for ldap initialization), one that check differences between onames and oid.
Consequently we don't have a java program that dumps ldap to tnsnames, sorry.

yong321_at_yahoo.com wrote:
> Easy. Disallow anonymous bind. Read Note:316143.1.
>
> (Do you have a web page for your Java program that dumps LDAP to
> tnsnames? I'd like to make a link from
> http://rootshell.be/~yong321/oranotes/Ldap2Tnsnames.txt
> to your web page.)
>
> Yong Huang
Received on Fri Jan 13 2006 - 03:42:25 CST