Ok, ok! I digress, you guys a a bunch of very very smart folks. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: 11 mars 2005 14:22 To: [email protected] Subject: RE: [ActiveDir] Binding to ldap process..
I just pop a hub in between the DC and the switch and then tie my laptop with ethereal running into the hub. I'm with you... I don't like running anything on DCs. I've found that I can unplug a DC, plug in a small hub, and plug it all back together without losing connectivity, assuming I don't drop the cable while I'm doing it... :-) ********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Francis > Ouellet > Sent: Friday, March 11, 2005 11:11 AM > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > I just looked at ethereal and I hate the fact that you need to install > winpcap on a DC. I actually hate installing anything on a DC for that > matter. I'm trying to do all the damage control I can do over here; > Knowing how completely paranoid you are <g> you'd probably fire > everybody around here if you had the power :) Things I wouldn't have > done myself during the beta of NT5.0 (given the little knowledge I had > about AD back then) > > Francis > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: 11 mars 2005 13:50 > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > Heh. I was so hip on giving help on how to look for this in a sniffer > that I completely missed the GC in a DMZ point. Oy. I am getting old > or tired or both. > > Yes, do not put a GC in the DMZ. Yes, do use AD/AM, especially if all > the provider needs is a list of valid email addresses or something > along those lines. That should be an exceedingly simple sync to > perform. > > joe > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Francis > Ouellet > Sent: Friday, March 11, 2005 1:19 PM > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > I was toying with the idea of using ADAM myself but the admins around > here (only been here a few months) don't have any notion whatsoever of > security boundaries. You don't want to know the rest ;-) > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, > Hunter > Sent: 11 mars 2005 13:12 > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > While we haven't outsourced our anti-spam stuff, we're in the same > boat with the AD address validation. We're likely going to spin up an > ADAM instance and have the queries run against that, so that 1) we can > control what information the anti-spam software has access to and 2) > it's not directly touching our DCs/GCs. It also lets you keep your DCs > out of the DMZ. Something you may want to consider... > > Hunter > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Francis > Ouellet > Sent: Friday, March 11, 2005 10:55 AM > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > Thanks for the reply Joe! The url provided was extremely helpful. The > reason I'm asking all of this is because the management has decided to > outsource anti-spam technology to a 3rd party that uses our AD to > validate e-mail addresses. > Unfortunately their "security through obscurity" methods are scaring > the crap out of me. They won't disclose the type of bind they are > doing agains't one of our GC in the DMZ. I guess I could sniff the > incomming traffic and figure out what type of bind they are doing? > > Thanks, > Francis > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: 11 mars 2005 12:17 > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > Depends on the auth options chosen. By default, ldp will use kerberos > as will my adfind. The auth option is called LDAP_AUTH_NEGOTIATE which > is a generic security services (GSS > - SPNEGO) provider and will try different mechanisms starting out with > kerberos but NTLM is also an option there. You can force it to bind > with a simple bind though which is clear text passwords. > > > See > http://msdn.microsoft.com/library/default.asp?url=/library/en- > us/ldap/ldap/ldap_bind_s.asp and look in the remarks section. > > joe > > > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Francis > Ouellet > Sent: Friday, March 11, 2005 11:43 AM > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > Thanks for the reply joe, however one last questions remains: > > Is the process of binding to the GC (in the case I'm connecting to > port 3268) different from say: A user authentication to AD when > logging on to a workstation? Does it use the same kerberos ticket > system? > > Thanks!! > Francis > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: 11 mars 2005 11:28 > To: [email protected] > Subject: RE: [ActiveDir] Binding to ldap process.. > > > You have two major functions in this area > > 1. Connect. This is where you specify the server, port, and network > protocol you want to use. If you select connectionless you are using > UDP, otherwise you are using TCP. For most folks, UDP is useless, so > you may not want to play with it too much. You can also specify an SSL > connection. Until you work out the basics, don't worry about it. > > 2. Bind. This is where you specify the ID you want to connect to AD > with and the authentication mechanism you want to use. > The calls are all going against the server/port that you specified in > 1. Note that you can't authenticate a UDP connection (just one reason > why you don't generally want to play with UDP). > > Some apps combine that all together in the background so you don't see > it such as my adfind command line tool. You simply specify what you > want and off it goes and handles the binding and connecting and > everything else for you. > > joe > > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Francis > Ouellet > Sent: Friday, March 11, 2005 11:03 AM > To: [email protected] > Subject: [ActiveDir] Binding to ldap process.. > > > Hi, > > > I'm trying to understand the process of binding to an ldap server. I'm > toying with ldp.exe and I'd like to know a little bit more about the > different bind options... > > If you decide to connect to port 3268 to query the GC and then decide > to bind do you bind on port 389 or continue to authenticate to the GC? > You see, I'm just a wee bit confused as to what happens in the > background :) > > Thanks, > Francis Ouellet > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
