Solved

AD LDAP Configuration - security settings

Posted on 2003-11-21
2
678 Views
Last Modified: 2012-05-04
Please, advice how to deal with the LDAP config.

We installed Test AD server to make internet access authorization through LDAP, it's now in the 'local' zone. DNS isn't installed there.

Now LDAP works, but:

1. Server accepts anonymous LDAP queries or queries with any Username if password is blank.
2. Server refuses to accept queries with any username/ passwords, correct or incorrect, if passwrord isn't blank.
3. Server doesn't accept SSL calls to port 636.

We need just opposite reaction to 1, 2, 3.

I understand that I missed a screen at installation and it should be something primitive, but where to look at?

Thanks,
Mike
0
Comment
Question by:MLSmnv
2 Comments
 
LVL 1

Accepted Solution

by:
MLSmnv earned 0 total points
ID: 9838358
OK, Looks like the site isn't so popular as it used to be. Well, if anybody else would need it:

The main trick was in the username syntax. We experimented with test AD which didn't have a standard Internet name, so to get it accepted we needed to use
      username="eweb\atest"
                or
               username="atest@eweb.local".

Our first breakthrough after the week of experiments was the

username="CN=<AD FULL NAME>,CN=Users,DC=eweb,DC=local"

This is fun, why this damn piece of explanation wasn't published yet:

<CFLDAP
    SERVER="199.128.236.10"
      ACTION="Query"
      START="CN=Users,DC=eweb,DC=local"
      scope="subtree"
      NAME="results"
      ATTRIBUTES="cn,dc,name,dn"
      username="eweb\atest2"
      password=""
      secure="CFSSL_BASIC"
      port="636"
      >


If you deal with LDAP, remember that the blank password makes you "anonymous", whatever you use for the username.

In accordance with the LDAP v3 RFC 2251, an LDAP bind in which a username is provided but a password is not [ie. blank] is treated as an anonymous bind. This means that a bind is granted to users providing a username but no password.


Mike
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now