RE: [ActiveDir] Binding to ldap process..

[Thommes, Michael M.]

How about “netmon.exe” that comes with Server 2003?   Go to Start\Control Panel\Add or remove Programs\Add/remove Windows components\Management and Monitoring Tools\Network Monitor Tools .   Mike Thommes   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 1:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process..   I just looked at ethereal and I hate the fact that you need to install winpcap on a DC. I actually hate installing anything on a DC for that matter. I'm trying to do all the damage control I can do over here; Knowing how completely paranoid you are <g> you'd probably fire everybody around here if you had the power :) Things I wouldn't have done myself during the beta of NT5.0 (given the little knowledge I had about AD back then)   Francis   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 11 mars 2005 13:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. Heh. I was so hip on giving help on how to look for this in a sniffer that I completely missed the GC in a DMZ point. Oy. I am getting old or tired or both.   Yes, do not put a GC in the DMZ. Yes, do use AD/AM, especially if all the provider needs is a list of valid email addresses or something along those lines. That should be an exceedingly simple sync to perform.     joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. I was toying with the idea of using ADAM myself but the admins around here (only been here a few months) don't have any notion whatsoever of security boundaries. You don't want to know the rest ;-)   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: 11 mars 2005 13:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. While we haven't outsourced our anti-spam stuff, we're in the same boat with the AD address validation. We're likely going to spin up an ADAM instance and have the queries run against that, so that 1) we can control what information the anti-spam software has access to and 2) it's not directly touching our DCs/GCs. It also lets you keep your DCs out of the DMZ. Something you may want to consider...   Hunter   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. Thanks for the reply Joe! The url provided was extremely helpful. The reason I'm asking all of this is because the management has decided to outsource anti-spam technology to a 3rd party that uses our AD to validate e-mail addresses. Unfortunately their "security through obscurity" methods are scaring the crap out of me. They won't disclose the type of bind they are doing agains't one of our GC in the DMZ. I guess I could sniff the incomming traffic and figure out what type of bind they are doing?   Thanks, Francis   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 11 mars 2005 12:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. Depends on the auth options chosen. By default, ldp will use kerberos as will my adfind. The auth option is called LDAP_AUTH_NEGOTIATE which is a generic security services (GSS - SPNEGO) provider and will try different mechanisms starting out with kerberos but NTLM is also an option there. You can force it to bind with a simple bind though which is clear text passwords.     See http://msdn.microsoft.com/library/default.asp?url=""> and look in the remarks section.      joe           From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 11:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. Thanks for the reply joe, however one last questions remains:   Is the process of binding to the GC (in the case I'm connecting to port 3268) different from say: A user authentication to AD when logging on to a workstation? Does it use the same kerberos ticket system?   Thanks!! Francis   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 11 mars 2005 11:28 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Binding to ldap process.. You have two major functions in this area   1. Connect. This is where you specify the server, port, and network protocol you want to use. If you select connectionless you are using UDP, otherwise you are using TCP. For most folks, UDP is useless, so you may not want to play with it too much. You can also specify an SSL connection. Until you work out the basics, don't worry about it.   2. Bind. This is where you specify the ID you want to connect to AD with and the authentication mechanism you want to use. The calls are all going against the server/port that you specified in 1. Note that you can't authenticate a UDP connection (just one reason why you don't generally want to play with UDP).   Some apps combine that all together in the background so you don't see it such as my adfind command line tool. You simply specify what you want and off it goes and handles the binding and connecting and everything else for you.     joe         From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Binding to ldap process.. Hi,     I'm trying to understand the process of binding to an ldap server. I'm toying with ldp.exe and I'd like to know a little bit more about the different bind options...   If you decide to connect to port 3268 to query the GC and then decide to bind do you bind on port 389 or continue to authenticate to the GC? You see, I'm just a wee bit confused as to what happens in the background :)   Thanks, Francis Ouellet