|
Guy, you wrote : If you want to enable simple binds, set: -
The Domain controller: LDAP server signing
requirements = None -
The Network security: LDAP client signing
requirements = Negotiate Also set in Default Domain GPO: The Network security: LDAP client signing
requirements = Negotiate
(to make sure that all windows clients do not try simple binds) We find the two first settings
but not the last ("Also set in Default Domain
GPO"). We work on french version of win 2003, and our knowledge of 2003 is
very poor. Could you tell me how to set this, we can't find the right path for
this… Many thanks Olivier De :
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Olivier Marie Our AD isn't win2000
upgraded to 2003 (it's a new one). Sorry for my "but
I can always connect from php to AD using anonymous connection (works
great)”… Effectively, I can just bind to rootDSE. We will try to use SSL,
but for our tests we will perhaps try in a first time to modify the settings
for Ldap settings. Many thanks for your
answer, I will tell you if we success or not ! Olivier De :
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Teverovsky, Guy By default anonymous
LDAP operations are disabled in W2K3 AD (you are only allowed to perform base
search on RootDSE). First the warning:
enabling anonymous LDAP operations and/or disabling LDAP singing weakens the
security of your AD and opens some nasty holes that can be exploited by bad
people. The best option would
be performing an LDAP over SSL bind to DC if you have SSL enabled on the DCs.
If not then you can tackle the problem by: 1)
If you do not want to send the passwords over the wire, you can
allow anonymous binds/searches to a strictly defined set of attributes
(assuming that those do not contain sensitive data). More details here:
<shameless plug> http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
</shameless plug> 2)
If you still want to pull the data after successful authentication
(you’ll need to perform authenticated simple bind from within PHP code).
There are 2 settings that control the LDAP signing (both located under Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security
Options of the Default Domain Controllers GPO): a.
Domain Controller: LDAP server signing requirement b.
Network security: LDAP client signing requirement (default =
undefined) If you want to enable simple binds, set: - The Domain controller: LDAP server
signing requirements = None - The Network security: LDAP
client signing requirements = Negotiate Also set in Default Domain GPO: The Network security: LDAP client signing
requirements = Negotiate
(to make sure that all windows clients do not try simple binds) Now this option is VERY nasty as you are opening a door to clear
text passwords traveling across your network and letting anyone with a sniffer
grab passwords from the wire. I would try to avoid this one at all cost. Btw, regarding “but
I can always connect from php to AD using anonymous connection (works
great)”…. Can you elaborate on
this one ? can you actually query the AD or you can only bind to RootDSE ? Is
this W2K AD upgraded to W2K3 ? Guy From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie Hello everybody I would add an entry in my AD (win 2003) from a
server RedHat/Apache/PHP. I was connecting with ldap_connect, using admin user
login and password. Everything was ok but some patches and reboot was
done by another person, and now It doesn't work : - When I connect with admin user login and password,
I obtain "strong authentication required". - but I can always connect from php to AD using
anonymous connection (works great) Admin user login and password have not been modified. We are newbie on AD and we're not ruling win2003
administration… Could you give us an idea to go further in ours
investigations ? Many thanks Olivier |
- RE: [ActiveDir] AD access "strong authentication requ... Olivier Marie
- RE: [ActiveDir] AD access "strong authentication... Teverovsky, Guy
