Solved

AD LDAP Configuration - security settings

Posted on 2003-11-21
2
690 Views
Last Modified: 2012-05-04
Please, advice how to deal with the LDAP config.

We installed Test AD server to make internet access authorization through LDAP, it's now in the 'local' zone. DNS isn't installed there.

Now LDAP works, but:

1. Server accepts anonymous LDAP queries or queries with any Username if password is blank.
2. Server refuses to accept queries with any username/ passwords, correct or incorrect, if passwrord isn't blank.
3. Server doesn't accept SSL calls to port 636.

We need just opposite reaction to 1, 2, 3.

I understand that I missed a screen at installation and it should be something primitive, but where to look at?

Thanks,
Mike
0
Comment
Question by:MLSmnv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
MLSmnv earned 0 total points
ID: 9838358
OK, Looks like the site isn't so popular as it used to be. Well, if anybody else would need it:

The main trick was in the username syntax. We experimented with test AD which didn't have a standard Internet name, so to get it accepted we needed to use
      username="eweb\atest"
                or
               username="atest@eweb.local".

Our first breakthrough after the week of experiments was the

username="CN=<AD FULL NAME>,CN=Users,DC=eweb,DC=local"

This is fun, why this damn piece of explanation wasn't published yet:

<CFLDAP
    SERVER="199.128.236.10"
      ACTION="Query"
      START="CN=Users,DC=eweb,DC=local"
      scope="subtree"
      NAME="results"
      ATTRIBUTES="cn,dc,name,dn"
      username="eweb\atest2"
      password=""
      secure="CFSSL_BASIC"
      port="636"
      >


If you deal with LDAP, remember that the blank password makes you "anonymous", whatever you use for the username.

In accordance with the LDAP v3 RFC 2251, an LDAP bind in which a username is provided but a password is not [ie. blank] is treated as an anonymous bind. This means that a bind is granted to users providing a username but no password.


Mike
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Resolve DNS query failed errors for Exchange
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question