How To Restrict Anonymous Access To OID Only For Tnsnames Entries / Resolution?

(Doc ID 1471635.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Internet Directory - Version 10.1.2 to 11.1.1 [Release 10gR2 to 11g]
Information in this document applies to any platform.
***Checked for relevance on 13-jan-2014***

Goal

Oracle Internet Directory (OID) 10g or 11g.

It is understood anonymous binds on are required for tnsnames resolution, but how to address more strict security requirements, such as:

Question 1:
All clients use OID for names resolution, as well as other queries, and also for authentication/authorization.
All clients use the same OID or load balancer hostname and port.
Need anonymous binds enabled for tnsnames resolution, but want to restrict it only for names resolution and nothing else.
Also wants to restrict all userid related attributes, ie DN, CN, UID, etc, and any password related attribute, from being queried or returned by anonymous binds/searches.
In fact, how to disallow everything But tnsnames resolution from an anonymous binds/searches?

Question 2:
The following command:

Returns All values in the OID server.
How to modify the security so it returns a single connect-string only when a valid service-name is specified, and return a full list of all values only when a proper password is supplied?

Question 3:
Need anonymous binds to fulfill the TNS requirements, but how to restrict anonymous from access anything else?  For example, do not want anonymous to be able to see the cn=users,<realm> container.

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms