RE: [ActiveDir] Anonymous bind

[Eric Fleischman]

Title: firma

Sorry for the double post….please don’t CC the alias I accidentally CC’d when I first sent this. Thanks! ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, May 19, 2004 6:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind   I’m going to respectfully disagree with the approach being taken here. It is, IMHO, misguided.   What has been described as a security hole (opening your AD for a subset of operations being allowed by ANONYMOUS) has somehow been justified in the OpenLDAP world. Make no mistake about it: anonymous is anonymous on any platform. Allowing ANONYMOUS to read from one directory vs. another is the same threat. Why they are being viewed is a mystery to me.   That said, from an order of complexity perspective, a sync solution will be substantially harder to set up and maintain over the long haul. If this were my project, I would do the following: 1)       Flip 7th bit of dsHeuristics to 2, enabling the ability to have anonymous binds to the DS (part one of the solution) 2)       We need to now ACL things to ANONYMOUS has access to the data required. Fundamentally, there are two approaches: a.       Target the objects that your auth client will be searching (perhaps a single subtree under an OU) and grant ANONYMOUS the minimum required perms for it…my bet is that just read to a subset of attributes is sufficient. b.       You can try to flip the reg value “EveryoneIncludesAnonymous” to 1 on a single DC and see if that satisfies your needs. NOTE: this approach, if it works, is particularly advantageous as it is localized to a single DC, IE only a subset of DCs would have increased abilities for ANONYMOUS.   Many comments Guy made confuse me, especially this one: > You will definitely not want that in production So you want to have a second directory with ANONYMOUS able to read it, but not a single one? How is OpenLDAP with ANONYMOUS somehow different than AD with ANONYMOUS reads enabled? I fail to see the difference here. If your difference was the localization problem, my EveryoneInludesAnonymous solution might do that for you a bit more gracefully.   I don’t recall all of the ACLs that Everyone has in 2k03 out of the box, but if there is a problem there send me a trace of a failure and I can show you what need change to make it work. I bet it is small though.   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aitzol Naberan Burgaņa Sent: Wednesday, May 19, 2004 1:47 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous bind   OK, I will try the second approach. So I have to copy (sync) all the AD data into my local openLDAP??? creating a local schema with the user info??? -- Aitzol Naberan Burgaņa CodeSyntax [EMAIL PROTECTED] www.codesyntax.com Tel: 943  82 17 80 Guy Teverovsky(e)k dio: There are several solutions to that:   1) Grant Everyone read permissions (this object and all child objects) to the domain object. The drawbacks are obvious: you are opening a HUGE security hole. You will definitely not want that in production.   2) Setup OpenLDAP and sync the needed attributes from AD. From what I can find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ), you will need to use top, account and simpleSecurityObject objectClasses. userPassword attribute can be a pointer to the user's Kerberos principal in AD Kerberos realm in the following form: userPassword: {[EMAIL PROTECTED] In that way you can allow anonymous searches in OpenLDAP while exposing the bare minimum data and yet authenticate the users through LDAP. What happens in such a configuration is something like this:   1) OpenGroupware binds anonymously to OpenLDAP and performs the search for user object. 2) After the user object is found, OpenGroupware tries to bind as user to OpenLDAP (you should configure SSL/TLS if you do not want the passwords to travel in clear text) 3) OpenLDAP proxies the authentication request and passes it to AD's Kerberos. 4) AD's KDC verifies the user/password and returns OK to OpenLDAP. 5) OpenLDAP lets the user bind to OpenLDAP and user is authenticated.   As you can figure it out, this approach greatly depends on the size of your AD (I have tested this at a small size network when implementing single sign-on for Linux clients. Have no idea how it will behave, if at all, with larger than single site implementation.   Have a look at the following link for a HOWTO I used: http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.html   Again, I have not tested it with OG and the mentioned above objectClasses (I needed top, person and posixAccount), but I guess this should work the same.   Guy   On Tue, 2004-05-18 at 17:17, Aitzol Naberan Burgaņa wrote:   It's not so easy rewrite the source code, I will need spend a lot oftime to understand the source and to change it. But I think that Ihave to do it, and change the bind method (I think it will work...). OpenGroupware is for unix systems, you can learn more inwww.opengroupware.org Thanks--Aitzol Naberan BurgaņaCodeSyntax[EMAIL PROTECTED]www.codesyntax.comTel: 943  82 17 80  joe(e)k dio:      Ah. Interesting, so it sounds like they want to compare the hashesinstead of actually use the authentication of the system. Well sinceit is OpenSource, that should be easy to rewrite and correct huh.:o) You can open up the anonymous search but if they need to see thepassword, you are dead in the water right there. You either can'tuse AD, can't use that product, or you need to modify theauthentication routines.  I have never heard of that product, is it *nix only or do they haveWin32 ports?    joe   ____________________________________________________________________From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of AitzolNaberan BurgaņaSent: Tuesday, May 18, 2004 9:21 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Anonymous bind  I'm trying to authentificate OpenGroupware (open source groupwaresuite) against Active Directory. The problem is that OpenGroupware'sauthentification method is a litle bit curious:  It tries to do ananonymous bind to the ldap server before it will try to bind as theuser name supplied at the login prompt.  Active Directory will allowan anonymous bind, so that part is successful, but it does not allowan anonymous search. I'm not sure where authentification fails,because I have read thet OpenGroupware search a password and whendoesn't find it fails. --Aitzol Naberan BurgaņaCodeSyntax[EMAIL PROTECTED]www.codesyntax.comTel: 943  82 17 80  joe(e)k dio:        Correct. Aitzol, what problem are you trying to solve?   joe __________________________________________________________________From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of BrentWestmorelandSent: Tuesday, May 18, 2004 8:41 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Anonymous bind  I know that the unicodePwd attributes can never be read by way ofldap, you will probably find that this is true for userPasswordalso. http://support.microsoft.com/default.aspx?scid=kb;EN-US;269190  On May 18, 2004, at 6:29 AM, Aitzol Naberan Burgaņa wrote:         Hi all                How can I grant "read" access to userPasswor attribute?                        Thanks                --         Aitzol Naberan Burgaņa        CodeSyntax        [EMAIL PROTECTED]        www.codesyntax.com        Tel: 943  82 17 80                List info : http://www.activedir.org/mail_list.htm List        FAQ : http://www.activedir.org/list_faq.htm List archive:        http://www.mail-archive.com/activedir%40mail.activedir.org/        List info : http://www.activedir.org/mail_list.htm List FAQ :http://www.activedir.org/list_faq.htm List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/      List info : http://www.activedir.org/mail_list.htm List FAQ :http://www.activedir.org/list_faq.htm List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/    List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/