Absolutely you can sniff it. If using ethereal, you can
start with a basic capture filter of
tcp port 389 or tcp port 3268
That lets you capture all TCP traffic going in and out on
those ports.
I recommend playing with it so you can recognize the
different kinds of binds. Pull out adfind and bang away at the server with the
following
adfind -h servername -default -s base
That should be a standard secure ldap bind which, assuming
you have a kerb service ticket for the DCs LDAP service will use kerberos. If it
can't get the service ticket, it will probably use ntlm. You can tell the
difference when looking (or at least I think this is it) because the ntlm bind
will pop a saslbindinprogress packet and the client will have to send another
bind packet. A kerb bind sends the ticket in the first packet and all is good.
adfind -h serverIPAddress -default -s
base
This will force a non-kerberos secure bind (probably ntlm)
even if you have kerberos tickets that would work.
adfind -h servername -default -s base -simple -u
domain\user -up password
or
adfind -h servername -default -s base -simple
-u userdn -up password
These are simple binds
and will be clear text unless they use SSL.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, March 11, 2005 12:55 PM
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
Thanks for the reply Joe! The url provided was extremely
helpful. The reason I'm asking all of this is because the management has decided
to outsource anti-spam technology to a 3rd party that uses our AD to validate
e-mail addresses. Unfortunately their "security through obscurity" methods are
scaring the crap out of me. They won't disclose the type of bind they are doing
agains't one of our GC in the DMZ. I guess I could sniff the incomming traffic
and figure out what type of bind they are doing?
Thanks,
Francis
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 11 mars 2005 12:17
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
Depends on the auth options chosen. By default, ldp will
use kerberos as will my adfind. The auth option is called
LDAP_AUTH_NEGOTIATE which is a generic security services (GSS - SPNEGO) provider
and will try different mechanisms starting out with kerberos but NTLM is also an
option there. You can force it to bind with a simple bind though which is clear
text passwords.
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Francis Ouellet
Sent: Friday, March 11, 2005 11:43 AM
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
Sent: Friday, March 11, 2005 11:43 AM
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
Thanks for the reply joe, however one last questions
remains:
Is the process of binding to the GC (in the case I'm
connecting to port 3268) different from say: A user authentication to AD when
logging on to a workstation? Does it use the same kerberos ticket
system?
Thanks!!
Francis
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 11 mars 2005 11:28
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
You have two major functions in this
area
1. Connect. This is where you specify the server, port, and
network protocol you want to use. If you select connectionless you are using
UDP, otherwise you are using TCP. For most folks, UDP is useless, so you may not
want to play with it too much. You can also specify an SSL connection. Until you
work out the basics, don't worry about it.
2. Bind. This is where you specify the ID you want to
connect to AD with and the authentication mechanism you want to use. The
calls are all going against the server/port that you specified in 1. Note that
you can't authenticate a UDP connection (just one reason why you don't generally
want to play with UDP).
Some apps combine that all together in the background so
you don't see it such as my adfind command line tool. You simply specify what
you want and off it goes and handles the binding and connecting and everything
else for you.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, March 11, 2005 11:03 AM
To: [email protected]
Subject: [ActiveDir] Binding to ldap process..
Hi,
I'm trying to
understand the process of binding to an ldap server. I'm toying with ldp.exe and
I'd like to know a little bit more about the different bind
options...
If you decide to
connect to port 3268 to query the GC and then decide to bind do you bind on port
389 or continue to authenticate to the GC? You see, I'm just a wee bit confused
as to what happens in the background :)
Thanks,
Francis
Ouellet
