From 9828b867baaddc075d90e01e6ae9663170a8a39d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Fri, 20 Dec 2019 16:46:03 +0100
Subject: [PATCH] Disable anonymous binds

See https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/configuring-special-binds.html#disabling-anonymous-binds
---
 .../kosmos-dirsrv/resources/instance.rb        | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index e9a59a7..c27e472 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -51,6 +51,7 @@ action :create do
       notifies :restart, "service[#{service_name}]", :immediately
       notifies :delete, "template[#{setup_config}]", :immediately
       notifies :run, "execute[add users group]", :delayed
+      notifies :run, "execute[disable anonymous access]", :delayed
     end
   end
 
@@ -70,6 +71,23 @@ action :create do
     action :nothing
   end
 
+  file "#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif" do
+    content <<-EOF
+dn: cn=config
+changetype: modify
+replace: nsslapd-allow-anonymous-access
+nsslapd-allow-anonymous-access: off
+    EOF
+    owner "root"
+    group "root"
+  end
+
+  execute "disable anonymous access" do
+    command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/disable_anonymous_access.ldif' -p #{new_resource.port} -h localhost"
+    sensitive true
+    action :nothing
+  end
+
   unless node.chef_environment == "development"
     package "libnss3-tools" # provides pk12util