?
Solved

AD LDAP Configuration - security settings

Posted on 2003-11-21
2
Medium Priority
?
693 Views
Last Modified: 2012-05-04
Please, advice how to deal with the LDAP config.

We installed Test AD server to make internet access authorization through LDAP, it's now in the 'local' zone. DNS isn't installed there.

Now LDAP works, but:

1. Server accepts anonymous LDAP queries or queries with any Username if password is blank.
2. Server refuses to accept queries with any username/ passwords, correct or incorrect, if passwrord isn't blank.
3. Server doesn't accept SSL calls to port 636.

We need just opposite reaction to 1, 2, 3.

I understand that I missed a screen at installation and it should be something primitive, but where to look at?

Thanks,
Mike
0
Comment
Question by:MLSmnv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
MLSmnv earned 0 total points
ID: 9838358
OK, Looks like the site isn't so popular as it used to be. Well, if anybody else would need it:

The main trick was in the username syntax. We experimented with test AD which didn't have a standard Internet name, so to get it accepted we needed to use
      username="eweb\atest"
                or
               username="atest@eweb.local".

Our first breakthrough after the week of experiments was the

username="CN=<AD FULL NAME>,CN=Users,DC=eweb,DC=local"

This is fun, why this damn piece of explanation wasn't published yet:

<CFLDAP
    SERVER="199.128.236.10"
      ACTION="Query"
      START="CN=Users,DC=eweb,DC=local"
      scope="subtree"
      NAME="results"
      ATTRIBUTES="cn,dc,name,dn"
      username="eweb\atest2"
      password=""
      secure="CFSSL_BASIC"
      port="636"
      >


If you deal with LDAP, remember that the blank password makes you "anonymous", whatever you use for the username.

In accordance with the LDAP v3 RFC 2251, an LDAP bind in which a username is provided but a password is not [ie. blank] is treated as an anonymous bind. This means that a bind is granted to users providing a username but no password.


Mike
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question