RE: [ActiveDir] VERY OT -WAS Binding to ldap process..- NOW is Deji Rants

[Francis Ouellet]

Hi Deji,   I've been on both sides of the fence in the past year.   Ultimatly the main reason for this was the time required by the admins to implement this solution which was minimal. They (the powers that be) found that outsourcing the tech was way cheaper than paying for an appliance etc... They thought that they could save some bandwith this way and put some stress out of our mail servers   So, cost and administration overhead were probably the major factors behind this.   Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 11 mars 2005 13:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] VERY OT -WAS Binding to ldap process..- NOW is Deji Rants Something tells me I shouldn’t be asking this, but the phrase “outsource Anti-SPAM” – and the recent news about MCDonald “OUTSOURCE” drive-through order processing – just make the question irresistible.   Why would anyone outsource Anti-SPAM? If your mail service is outsourced, too, that would be somewhat understandable, although not justifiable, IMO. If you host and manage your mail infrastructure, what is the logic behind outsourcing Anti-SPAM? I realize that you guys may not be responsible for making the calls on this, but I am also interested in knowing the reasoning that drove the final decision maker into making that decision. Is it the administration overhead? Is it the cost? Is it the effectiveness?   For the record, I am an Anti-SPAM solution provider, and it bothers me that people would give control of their mail-infrastructure out to an external party for such simple task as SPAM protection. Could this be because most of the solutions out there suck in one form or another? What is it?   Deji [getting off his soap-box now]   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, March 11, 2005 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process..   While we haven't outsourced our anti-spam stuff, we're in the same boat with the AD address validation. We're likely going to spin up an ADAM instance and have the queries run against that, so that 1) we can control what information the anti-spam software has access to and 2) it's not directly touching our DCs/GCs. It also lets you keep your DCs out of the DMZ. Something you may want to consider...   Hunter   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. Thanks for the reply Joe! The url provided was extremely helpful. The reason I'm asking all of this is because the management has decided to outsource anti-spam technology to a 3rd party that uses our AD to validate e-mail addresses. Unfortunately their "security through obscurity" methods are scaring the crap out of me. They won't disclose the type of bind they are doing agains't one of our GC in the DMZ. I guess I could sniff the incomming traffic and figure out what type of bind they are doing?   Thanks, Francis   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 11 mars 2005 12:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. Depends on the auth options chosen. By default, ldp will use kerberos as will my adfind. The auth option is called LDAP_AUTH_NEGOTIATE which is a generic security services (GSS - SPNEGO) provider and will try different mechanisms starting out with kerberos but NTLM is also an option there. You can force it to bind with a simple bind though which is clear text passwords.     See http://msdn.microsoft.com/library/default.asp?url=""> and look in the remarks section.      joe           From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 11:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. Thanks for the reply joe, however one last questions remains:   Is the process of binding to the GC (in the case I'm connecting to port 3268) different from say: A user authentication to AD when logging on to a workstation? Does it use the same kerberos ticket system?   Thanks!! Francis   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 11 mars 2005 11:28 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. You have two major functions in this area   1. Connect. This is where you specify the server, port, and network protocol you want to use. If you select connectionless you are using UDP, otherwise you are using TCP. For most folks, UDP is useless, so you may not want to play with it too much. You can also specify an SSL connection. Until you work out the basics, don't worry about it.   2. Bind. This is where you specify the ID you want to connect to AD with and the authentication mechanism you want to use. The calls are all going against the server/port that you specified in 1. Note that you can't authenticate a UDP connection (just one reason why you don't generally want to play with UDP).   Some apps combine that all together in the background so you don't see it such as my adfind command line tool. You simply specify what you want and off it goes and handles the binding and connecting and everything else for you.     joe         From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Binding to ldap process.. Hi,     I'm trying to understand the process of binding to an ldap server. I'm toying with ldp.exe and I'd like to know a little bit more about the different bind options...   If you decide to connect to port 3268 to query the GC and then decide to bind do you bind on port 389 or continue to authenticate to the GC? You see, I'm just a wee bit confused as to what happens in the background :)   Thanks, Francis Ouellet