|
By default anonymous LDAP operations are
disabled in W2K3 AD (you are only allowed to perform base search on RootDSE). First the warning: enabling anonymous
LDAP operations and/or disabling LDAP singing weakens the security of your AD
and opens some nasty holes that can be exploited by bad people. The best option would be performing an
LDAP over SSL bind to DC if you have SSL enabled on the DCs. If not then you
can tackle the problem by: 1) If you do not want to send the passwords over
the wire, you can allow anonymous binds/searches to a strictly defined set of
attributes (assuming that those do not contain sensitive data). More details
here: <shameless plug> http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
</shameless plug> 2) If you still want to pull the data after
successful authentication (you’ll need to perform authenticated simple
bind from within PHP code). There are 2 settings that control the LDAP signing
(both located under Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options of the Default Domain Controllers GPO): a. Domain Controller: LDAP server signing requirement b. Network security: LDAP client signing requirement
(default = undefined) If
you want to enable simple binds, set: -
The Domain controller: LDAP server signing
requirements = None -
The Network security: LDAP client signing
requirements = Negotiate Also
set in Default Domain GPO: The Network security: LDAP client signing requirements = Negotiate (to make sure that all windows clients do not try
simple binds) Now
this option is VERY nasty as you are opening a door to clear text passwords traveling
across your network and letting anyone with a sniffer grab passwords from the
wire. I would try to avoid this one at all cost. Btw, regarding “but
I can always connect from php to AD using anonymous connection (works great)”…. Can you elaborate on this one ? can you
actually query the AD or you can only bind to RootDSE ? Is this W2K AD upgraded
to W2K3 ? Guy From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Olivier Marie Hello everybody I would add an entry in my AD (win 2003) from a
server RedHat/Apache/PHP. I was connecting with ldap_connect, using admin user
login and password. Everything was ok but some patches and reboot was done
by another person, and now It doesn't work : - When I connect with admin user login and password,
I obtain "strong authentication required". - but I can always connect from php to AD using
anonymous connection (works great) Admin user login and password have not been modified. We are newbie on AD and we're not ruling win2003
administration… Could you give us an idea to go further in ours
investigations ? Many thanks Olivier |
- RE: [ActiveDir] AD access "strong authentication requ... Teverovsky, Guy
- RE: [ActiveDir] AD access "strong authentication... Olivier Marie
- RE: [ActiveDir] AD access "strong authentica... Olivier Marie
- RE: [ActiveDir] AD access "strong authentication... Teverovsky, Guy
