Solved

AD LDAP Configuration - security settings

Posted on 2003-11-21
2
684 Views
Last Modified: 2012-05-04
Please, advice how to deal with the LDAP config.

We installed Test AD server to make internet access authorization through LDAP, it's now in the 'local' zone. DNS isn't installed there.

Now LDAP works, but:

1. Server accepts anonymous LDAP queries or queries with any Username if password is blank.
2. Server refuses to accept queries with any username/ passwords, correct or incorrect, if passwrord isn't blank.
3. Server doesn't accept SSL calls to port 636.

We need just opposite reaction to 1, 2, 3.

I understand that I missed a screen at installation and it should be something primitive, but where to look at?

Thanks,
Mike
0
Comment
Question by:MLSmnv
2 Comments
 
LVL 1

Accepted Solution

by:
MLSmnv earned 0 total points
ID: 9838358
OK, Looks like the site isn't so popular as it used to be. Well, if anybody else would need it:

The main trick was in the username syntax. We experimented with test AD which didn't have a standard Internet name, so to get it accepted we needed to use
      username="eweb\atest"
                or
               username="atest@eweb.local".

Our first breakthrough after the week of experiments was the

username="CN=<AD FULL NAME>,CN=Users,DC=eweb,DC=local"

This is fun, why this damn piece of explanation wasn't published yet:

<CFLDAP
    SERVER="199.128.236.10"
      ACTION="Query"
      START="CN=Users,DC=eweb,DC=local"
      scope="subtree"
      NAME="results"
      ATTRIBUTES="cn,dc,name,dn"
      username="eweb\atest2"
      password=""
      secure="CFSSL_BASIC"
      port="636"
      >


If you deal with LDAP, remember that the blank password makes you "anonymous", whatever you use for the username.

In accordance with the LDAP v3 RFC 2251, an LDAP bind in which a username is provided but a password is not [ie. blank] is treated as an anonymous bind. This means that a bind is granted to users providing a username but no password.


Mike
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now