Joe,
I forgot to mention on the article (Which I updated):
-----------------------------
I forgot to mention, I had thought to myself "Did I somehow enable anonymous
binds and forget?", since part of the design was to not-allow anonymous. I
did check the config entry as outlined in the ADAM FAQ:
ADAM does not accept anonymous bind requests by default. To enable anonymous
LDAP operations in ADAM, you must set the seventh character of the
dsHeuristics value to 2.
This indeed was set to NOT allow anonymous binds, which based on the wording
I would assume mean that anonymous binds would be rejected. In actuality,
an anonymous bind is a SUCCESS, but you can't enumerate the directory
structure from that point on. Perhaps the wording should be changed to
reflect this?
--------------------
----- Original Message -----
From: "Joe Kaplan" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, September 28, 2006 8:58 PM
Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password
It is a good article with good analysis. I do think it would be a useful
feature to have a bit to flip for simple bind to be forced to fail with
blank password, even though this would go against the RFC spec. I also
think it is interesting that since ADAM is actually doing some sort of
secure authentication to AD, this bind attempt does actually up the bad
pwd count and can result in user lockout.
Another scenario that is interesting with blank passwords is that
potentially an ADAM or AD user could have an actual blank password. It
then becomes very difficult to tell them apart from a bind attempt. I
remember Dmitri discussing this on the newsgroups a ways back, although as
I recall, he seemed to believe this was an inevitable consequence of the
spec.
Besides the DCR, I think all you can do is validate on the application
side (but you already knew that).
Joe K.
----- Original Message -----
From: "Jef Kazimer" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, September 28, 2006 7:53 PM
Subject: [ActiveDir] ADAM bind Redirection with a NULL password
Since there has been talk of LDAP "Authentication" as of late, I figured
I'd post my issue of poorly developed applications allowing a null
password to an ADAM instance using Bind Redirection.
http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry
I'd be curious if a bit flip to shut down this possibility could be put
in control of the directory Admin, instead of relying on the developers.
Thanks,
Jef Kazimer
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
