|
Olivier, In order to make DC
allow unsigned LDAP the following settings should be configured in the GPO
linked to “Domain Controllers” OU (this by default is “Default
Domain Controllers Policy”): -
The Domain controller: LDAP server signing
requirements = None -
The Network security: LDAP client signing
requirements = Negotiate (both located under
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options) I might also need to
reboot the DCs (do not remember that part) If you are really adventurous
and want to keep those settings in production, you would want to at least
minimize the impact by forcing all Windows hosts in your AD to sign LDAP
traffic when acting as clients (querying the DCs). This would be done by
setting (at a GPO linked at domain level (by default “Default Domain
Policy”)): -
The Network security: LDAP client signing
requirements = Negotiate This last setting is
not required for your testing. If you eventually go the SSL route, you won’t
need it anyway. To make sure you can
search with simple binds, from the RH box, try running something like: ldapsearch –h <dc_hostname> -x -D “cn=Administrator,dc=domain,dc=com”
–W –b “cn=users,dc=domain,dc=com” “objectcategory=*”
dn -b� - search base -D – the DN of
the account you are using to authenticate -x – use simple
bind -h – the LDAP
server host name -W – will prompt
you for the password HTH, Guy From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie Guy, you wrote : If
you want to enable simple binds, set: -
The Domain controller: LDAP server signing
requirements = None -
The Network security: LDAP client signing
requirements = Negotiate Also
set in Default Domain GPO: The Network security: LDAP client signing requirements = Negotiate (to make sure that all windows clients do not try
simple binds) We find the two first settings but not the
last ("Also set in Default Domain GPO"). We work on french
version of win 2003, and our knowledge of 2003 is very poor. Could you tell me
how to set this, we can't find the right path for this… Many thanks Olivier De :
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Olivier Marie Our AD isn't win2000
upgraded to 2003 (it's a new one). Sorry for my "but
I can always connect from php to AD using anonymous connection (works
great)”… Effectively, I can just bind to rootDSE. We will try to use SSL,
but for our tests we will perhaps try in a first time to modify the settings
for Ldap settings. Many thanks for your
answer, I will tell you if we success or not ! Olivier De :
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Teverovsky, Guy By default anonymous LDAP operations are
disabled in W2K3 AD (you are only allowed to perform base search on RootDSE). First the warning: enabling anonymous
LDAP operations and/or disabling LDAP singing weakens the security of your AD
and opens some nasty holes that can be exploited by bad people. The best option would be performing an
LDAP over SSL bind to DC if you have SSL enabled on the DCs. If not then you
can tackle the problem by: 1) If you do not want to send the passwords over
the wire, you can allow anonymous binds/searches to a strictly defined set of
attributes (assuming that those do not contain sensitive data). More details
here: <shameless plug> http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
</shameless plug> 2) If you still want to pull the data after
successful authentication (you’ll need to perform authenticated simple
bind from within PHP code). There are 2 settings that control the LDAP signing
(both located under Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options of the Default Domain Controllers
GPO): a. Domain Controller: LDAP server signing
requirement b. Network security: LDAP client signing
requirement (default = undefined) If
you want to enable simple binds, set: - The Domain controller: LDAP
server signing requirements =
None - The Network security: LDAP
client signing requirements =
Negotiate Also
set in Default Domain GPO: The Network security: LDAP client signing requirements = Negotiate (to make sure that all windows clients do not try
simple binds) Now
this option is VERY nasty as you are opening a door to clear text passwords
traveling across your network and letting anyone with a sniffer grab passwords
from the wire. I would try to avoid this one at all cost. Btw, regarding “but
I can always connect from php to AD using anonymous connection (works
great)”…. Can you elaborate on this one ? can you
actually query the AD or you can only bind to RootDSE ? Is this W2K AD upgraded
to W2K3 ? Guy From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie Hello everybody I would add an entry in my AD (win 2003) from a
server RedHat/Apache/PHP. I was connecting with ldap_connect, using admin user
login and password. Everything was ok but some patches and reboot was
done by another person, and now It doesn't work : - When I connect with admin user login and password,
I obtain "strong authentication required". - but I can always connect from php to AD using
anonymous connection (works great) Admin user login and password have not been modified. We are newbie on AD and we're not ruling win2003
administration… Could you give us an idea to go further in ours
investigations ? Many thanks Olivier |
