I just looked at ethereal and I hate the fact that you need
to install winpcap on a DC. I actually hate installing anything on a DC for that
matter. I'm trying to do all the damage control I can do over here; Knowing how
completely paranoid you are <g> you'd probably fire everybody around here
if you had the power :) Things I wouldn't have done myself during the beta of
NT5.0 (given the little knowledge I had about AD back then)
Francis
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 11 mars 2005 13:50
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
Heh. I was so hip on giving help on how to look for this in
a sniffer that I completely missed the GC in a DMZ point. Oy. I am getting old
or tired or both.
Yes, do not put a GC in the DMZ. Yes, do use AD/AM,
especially if all the provider needs is a list of valid email addresses or
something along those lines. That should be an exceedingly simple sync to
perform.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, March 11, 2005 1:19 PM
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
I was toying with the idea of using ADAM myself but the
admins around here (only been here a few months) don't have any notion
whatsoever of security boundaries. You don't want to know the
rest ;-)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: 11 mars 2005 13:12
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
While we haven't outsourced our anti-spam stuff, we're in
the same boat with the AD address validation. We're likely going to spin up an
ADAM instance and have the queries run against that, so that 1) we can control
what information the anti-spam software has access to and 2) it's not directly
touching our DCs/GCs. It also lets you keep your DCs out of the DMZ. Something
you may want to consider...
Hunter
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, March 11, 2005 10:55 AM
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
Thanks for the reply Joe! The url provided was extremely
helpful. The reason I'm asking all of this is because the management has decided
to outsource anti-spam technology to a 3rd party that uses our AD to validate
e-mail addresses. Unfortunately their "security through obscurity" methods are
scaring the crap out of me. They won't disclose the type of bind they are doing
agains't one of our GC in the DMZ. I guess I could sniff the incomming traffic
and figure out what type of bind they are doing?
Thanks,
Francis
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 11 mars 2005 12:17
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
Depends on the auth options chosen. By default, ldp will
use kerberos as will my adfind. The auth option is called
LDAP_AUTH_NEGOTIATE which is a generic security services (GSS - SPNEGO) provider
and will try different mechanisms starting out with kerberos but NTLM is also an
option there. You can force it to bind with a simple bind though which is clear
text passwords.
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Francis Ouellet
Sent: Friday, March 11, 2005 11:43 AM
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
Sent: Friday, March 11, 2005 11:43 AM
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
Thanks for the reply joe, however one last questions
remains:
Is the process of binding to the GC (in the case I'm
connecting to port 3268) different from say: A user authentication to AD when
logging on to a workstation? Does it use the same kerberos ticket
system?
Thanks!!
Francis
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 11 mars 2005 11:28
To: [email protected]
Subject: RE: [ActiveDir] Binding to ldap process..
You have two major functions in this
area
1. Connect. This is where you specify the server, port, and
network protocol you want to use. If you select connectionless you are using
UDP, otherwise you are using TCP. For most folks, UDP is useless, so you may not
want to play with it too much. You can also specify an SSL connection. Until you
work out the basics, don't worry about it.
2. Bind. This is where you specify the ID you want to
connect to AD with and the authentication mechanism you want to use. The
calls are all going against the server/port that you specified in 1. Note that
you can't authenticate a UDP connection (just one reason why you don't generally
want to play with UDP).
Some apps combine that all together in the background so
you don't see it such as my adfind command line tool. You simply specify what
you want and off it goes and handles the binding and connecting and everything
else for you.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Friday, March 11, 2005 11:03 AM
To: [email protected]
Subject: [ActiveDir] Binding to ldap process..
Hi,
I'm trying to
understand the process of binding to an ldap server. I'm toying with ldp.exe and
I'd like to know a little bit more about the different bind
options...
If you decide to
connect to port 3268 to query the GC and then decide to bind do you bind on port
389 or continue to authenticate to the GC? You see, I'm just a wee bit confused
as to what happens in the background :)
Thanks,
Francis
Ouellet
