|
Our AD isn't win2000
upgraded to 2003 (it's a new one). Sorry for my �"but
I can always connect from php to AD using anonymous connection (works
great)”… Effectively, I can just bind to rootDSE. We will try to use SSL,
but for our tests we will perhaps try in a first time to modify the settings
for Ldap settings. Many thanks for your
answer, I will tell you if we success or not ! Olivier � De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De
la part de Teverovsky, Guy By default anonymous
LDAP operations are disabled in W2K3 AD (you are only allowed to perform base
search on RootDSE). First the warning:
enabling anonymous LDAP operations and/or disabling LDAP singing weakens the
security of your AD and opens some nasty holes that can be exploited by bad
people. The best option would
be performing an LDAP over SSL bind to DC if you have SSL enabled on the DCs.
If not then you can tackle the problem by: 1)If you do not want to send the passwords over
the wire, you can allow anonymous binds/searches to a strictly defined set of
attributes (assuming that those do not contain sensitive data). More details
here: <shameless plug> http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
</shameless plug> 2)If you still want to pull the data after
successful authentication (you’ll need to perform authenticated simple
bind from within PHP code). There are 2 settings that control the LDAP signing
(both located under Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options of the Default Domain Controllers
GPO): a. Domain Controller: LDAP server signing
requirement b. Network security: LDAP client signing requirement
(default = undefined) If you want to enable simple binds, set: - The Domain controller: LDAP
server signing requirements = None - The Network security: LDAP
client signing requirements = Negotiate Also set in Default Domain GPO: The Network security: LDAP client signing
requirements = Negotiate
(to make sure that all windows clients do not try simple binds) Now this option is VERY nasty as you are opening a door to clear
text passwords traveling across your network and letting anyone with a sniffer
grab passwords from the wire. I would try to avoid this one at all cost. Btw, regarding “but
I can always connect from php to AD using anonymous connection (works
great)”…. Can you elaborate on
this one ? can you actually query the AD or you can only bind to RootDSE ? Is
this W2K AD upgraded to W2K3 ? Guy From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie Hello everybody I would add an entry in my AD (win 2003) from a
server RedHat/Apache/PHP. I was connecting with ldap_connect, using admin user
login and password. Everything was ok but some patches and reboot was
done by another person, and now It doesn't work : - When I connect with admin user login and password,
I obtain "strong authentication required". - but I can always connect from php to AD using
anonymous connection (works great) Admin user login and password have not been modified. We are newbie on AD and we're not ruling win2003
administration… Could you give us an idea to go further in ours
investigations ? Many thanks Olivier |
- RE: [ActiveDir] AD access "strong authentication requ... Olivier Marie
- RE: [ActiveDir] AD access "strong authentication... Olivier Marie
- RE: [ActiveDir] AD access "strong authentication... Teverovsky, Guy
