From e84c18488bee6c19dcf5c973930fe0861681dbaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Falc=C3=B3n=20Ruiz?= <daniel.falcon@bitingbit.com>
Date: Thu, 8 Jul 2021 13:37:11 +0100
Subject: [PATCH] add anonymous binding configurations

---
 .../rootfs/opt/bitnami/scripts/libopenldap.sh | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/bitnami/openldap/2/debian-10/rootfs/opt/bitnami/scripts/libopenldap.sh b/bitnami/openldap/2/debian-10/rootfs/opt/bitnami/scripts/libopenldap.sh
index 08ed86b921fe..67d574331aa1 100644
--- a/bitnami/openldap/2/debian-10/rootfs/opt/bitnami/scripts/libopenldap.sh
+++ b/bitnami/openldap/2/debian-10/rootfs/opt/bitnami/scripts/libopenldap.sh
@@ -34,6 +34,7 @@ export LDAP_DATA_DIR="${LDAP_VOLUME_DIR}/data"
 export LDAP_ONLINE_CONF_DIR="${LDAP_VOLUME_DIR}/slapd.d"
 export LDAP_PID_FILE="${LDAP_BASE_DIR}/var/run/slapd.pid"
 export LDAP_CUSTOM_LDIF_DIR="${LDAP_CUSTOM_LDIF_DIR:-/ldifs}"
+export LDAP_ALLOW_ANON_BINDINGS="${LDAP_ALLOW_ANON_BINDINGS:-no}"
 export LDAP_CUSTOM_SCHEMA_FILE="${LDAP_CUSTOM_SCHEMA_FILE:-/schema/custom.ldif}"
 export PATH="${LDAP_BIN_DIR}:${LDAP_SBIN_DIR}:$PATH"
 export LDAP_TLS_CERT_FILE="${LDAP_TLS_CERT_FILE:-}"
@@ -257,6 +258,26 @@ EOF
     debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/admin.ldif"
 }
 
+########################
+# Disable LDAP anonymous bindings
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_disable_anon_bindings() {
+    info "Disable LDAP anonymous bindings"
+    cat > "${LDAP_SHARE_DIR}/ldap_disable_anon_bind.ldif" << EOF
+dn: cn=config
+changetype: modify
+add: olcDisallows
+olcDisallows: bind_anon
+EOF
+    debug_execute ldapmodify -Y EXTERNAL -H "ldapi:///" -f "${LDAP_SHARE_DIR}/ldap_disable_anon_bind.ldif"
+}
+
 ########################
 # Add LDAP schemas
 # Globals:
@@ -417,6 +438,9 @@ ldap_initialize() {
         ldap_create_online_configuration
         ldap_start_bg
         ldap_admin_credentials
+        if [ "$LDAP_ALLOW_ANON_BINDINGS" != 'yes' ]; then
+            ldap_disable_anon_bindings
+        fi
         if is_boolean_yes "$LDAP_ENABLE_TLS"; then
             ldap_configure_tls
         fi